Bug#292065: marked as done (numerous security holes in xshisen)

Tue, 21 Feb 2006 07:49:26 -0800 

Your message dated Tue, 21 Feb 2006 07:17:11 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#292065: fixed in xshisen 1.51-1-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: xshisen
Version: 1.51-1-1.1
Severity: grave
Tags: security

I've noticed a few more interesting things in xsheisen that might let it
be exploited to get gid games and similar fun. I haven't exploited all
of these and I don't know if they all really _are_ exploitable. This is
just the result of a little 10 minute audit I did to get some idea of
whether xshisen is likely to have more unfixed security holes besides
the most recent set of three.


1. Unsafe resource file reading.

    rcfile = new char [strlen(home) + 12];
    sprintf(rcfile, "%s/.xshisenrc", home);
    rdb2 = XrmGetFileDatabase(rcfile);

Here it loads up ~/..xshisenrc using XrmGetFileDatabase. Since this file
is in the user's home directory, it can be replaced by the user with
arbitrary content. According to the man page for XrmGetFileDatabase,
"the database that results from reading a file with incorrect syntax is
implementation- dependent." Since this function's behavior on corrupted
resource files is undefined, it seems likely that one might be able to
at least crash xsheisen with such a file, and possibly run shellcode.

Partial proof of concept:

[EMAIL PROTECTED]:~>cp =ls .xshisen
[EMAIL PROTECTED]:~>xshisen
Warning: Missing charsets in String to FontSet conversion
zsh: segmentation fault  xshisen

Whether this is truely exploitable, I don't know.

2. Unsafe XSHISENLIB environment variable.

    if ((lib_directory = getenv("XSHISENLIB")) == NULL)
            lib_directory = globRes.libDir;
            
Here it lets an envionment variable control the lib directory that
xpm files are read from. These files are read by XpmReadFileToPixmap.
I don't know if that library function can be exploited by broken xpm
files, but any bug in it has the potential to be exploited via xshisen.

3. Unsafe XSHISENDAT environment variable.

    if ((dat_directory = getenv("XSHISENDAT")) == NULL)
          dat_directory = debscoredir;

Here it lets an envionment variable control the directory it uses to write
the global high score file. So you just point a symlink to a file you'd
like to overwrite and redirect the XSHISENDAT to that directory:

[EMAIL PROTECTED]:~>echo hi > file           
[EMAIL PROTECTED]:~>ls -l xshisen.scores 
lrwxrwxrwx  1 joey joey 4 Jan 24 16:05 xshisen.scores -> file
[EMAIL PROTECTED]:~>XSHISENDAT=. xshisen
Warning: Missing charsets in String to FontSet conversion
[here I finished a game in click trial mode]
[EMAIL PROTECTED]:~>head file
hi
joey     (Joey Hess)         X1.51 00:01:45 05-01-24 16:07:40 
                             X1.51 99:99:99 00-00-00 00:00:00 
                             X1.51 99:99:99 00-00-00 00:00:00 
                             X1.51 99:99:99 00-00-00 00:00:00 
                             X1.51 99:99:99 00-00-00 00:00:00 
                             X1.51 99:99:99 00-00-00 00:00:00 
                             X1.51 99:99:99 00-00-00 00:00:00 
                             X1.51 99:99:99 00-00-00 00:00:00 
                             X1.51 99:99:99 00-00-00 00:00:00 

Like bug #291613 this symlink attack allows (over)writing files owned by
group games.

There's also the possiility of providing a xshisen.scores file
that overflows a buffer or something in the code that reads the high score
file. I don't see any overflows in that code offhand, but I didn't look very
hard.


My gut feeling after this little audit is that xshisen is not written
securely and should not be made setgid on a modern unix system. The
easiest fix seems to me to be removong the global high score file and
removing the sgid bit.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages xshisen depends on:
ii  libc6                    2.3.2.ds1-20    GNU C Library: Shared libraries an
ii  libgcc1                  1:3.4.3-7       GCC support library
ii  libice6                  4.3.0.dfsg.1-10 Inter-Client Exchange library
ii  libsm6                   4.3.0.dfsg.1-10 X Window System Session Management
ii  libstdc++5               1:3.3.5-6       The GNU Standard C++ Library v3
ii  libx11-6                 4.3.0.dfsg.1-10 X Window System protocol client li
ii  libxaw7                  4.3.0.dfsg.1-10 X Athena widget set library
ii  libxmu6                  4.3.0.dfsg.1-10 X Window System miscellaneous util
ii  libxpm4                  4.3.0.dfsg.1-10 X pixmap library
ii  libxt6                   4.3.0.dfsg.1-10 X Toolkit Intrinsics
ii  xlibs                    4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu

-- no debconf information

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: xshisen
Source-Version: 1.51-1-2

We believe that the bug you reported is fixed in the latest version of
xshisen, which is due to be installed in the Debian FTP archive:

xshisen_1.51-1-2.diff.gz
  to pool/main/x/xshisen/xshisen_1.51-1-2.diff.gz
xshisen_1.51-1-2.dsc
  to pool/main/x/xshisen/xshisen_1.51-1-2.dsc
xshisen_1.51-1-2_i386.deb
  to pool/main/x/xshisen/xshisen_1.51-1-2_i386.deb
xshisen_1.51-1.orig.tar.gz
  to pool/main/x/xshisen/xshisen_1.51-1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Zak B. Elep <[EMAIL PROTECTED]> (supplier of updated xshisen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 21 Feb 2006 22:35:26 +0800
Source: xshisen
Binary: xshisen
Architecture: source i386
Version: 1.51-1-2
Distribution: unstable
Urgency: high
Maintainer: Zak B. Elep <[EMAIL PROTECTED]>
Changed-By: Zak B. Elep <[EMAIL PROTECTED]>
Description: 
 xshisen    - Shisen-sho puzzle game for X11
Closes: 213957 289784 291279 291613 292065 346854
Changes: 
 xshisen (1.51-1-2) unstable; urgency=low
 .
   * New maintainer (as agreed with former maintainer; see
     http://lists.debian.org/debian-devel/2006/02/msg00007.html)
   * Fix strange source packaging problem (Closes: #291279)
   * debian/control:
     - Changed build system to CDBS + debhelper.
     - Bump Standards-Version.
     - Bump debhelper Build-Depends to (>= 5) ; updated compat too.
     - Slightly touch description; added homepage too.
   * debian/patches:
     - Added 10_oldfixes.patch .  Must sort the various hunks out soon.
       Acknowledging NMUs .
     - Added 11_manpage_fixes.patch to properly format C and ja manpages.
     - Added 20_autotools_update.patch .
   * debian/rules:
     - Remove extra Japanese manpages as suggested by Nicolas François.
       Remove app-defaults for these extra locales too.
   * debian/menu:
     - Properly quote menu entry.
 .
 xshisen (1.51-1-1.3) unstable; urgency=low
 .
   * Non-maintainer upload to do xlibs-dev transition.
   * Update debian/control to not build-depend on xlibs-dev anymore. (Closes:
     #346854)
   * Fix Makefile.in to reflect GNU make behaviour change regarding line
     continuations and whitespace.
 .
 xshisen (1.51-1-1.2) unstable; urgency=HIGH
 .
   * NMU (at maintainer's request).
   * Add NO_GLOBAL_HIGHSCORE define which crudely disables the support for
     a global score file.
   * Remove sgid bit. Closes: #291613, #292065
   * Comment out code in postinst that set up /var/games/xshisen.scores,
     but for now, do not delete that file on upgrade.
   * Add README.Debian.
 .
 xshisen (1.51-1-1.1) unstable; urgency=HIGH
 .
   * NMU
   * Fix buffer overflow in handling of GECOS field (CAN-2005-0117)
     using patch from Ulf Harnhammar. Closes: #289784
 .
 xshisen (1.51-1-1) unstable; urgency=high
 .
   * Non-maintainer upload with consent from Grzegorz.
   * Fix a locally exploitable buffer overflow allowing GID(games).
     (Closes: #213957)
Files: 
 9bb81ea94342beafadfc0554cda517aa 660 games optional xshisen_1.51-1-2.dsc
 5f0ef1d7811401876de717fd6771fe47 85350 games optional 
xshisen_1.51-1.orig.tar.gz
 6f2400fcf46f8feecb2f25e2547e2951 79053 games optional xshisen_1.51-1-2.diff.gz
 51737af066b25119295ba5c8317ee375 61262 games optional xshisen_1.51-1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD+yumlAuUx1tI/64RAgQpAJ4+6/S5G1rOUtHbGbu6d3/BoGL1ewCfdXuT
oXQMYfMT/5MqMDvqwd6rfHM=
=mJ0A
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to