InfoSect's Month of Pointless Bugs (#21)
InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.
Bug #21
In bsdgames/phantasia
int
main(argc, argv)
int argc;
char **argv;
{
bool noheader = FALSE; /* set if don't want header */
bool headeronly = FALSE; /* set if only want header */
bool examine = FALSE; /* set if examine a character */
time_t seconds; /* for time of day */
double dtemp; /* for temporary calculations */
initialstate(); /* init globals */
...
Bug #21
In bsdgames/phantasia
int
main(argc, argv)
int argc;
char **argv;
{
bool noheader = FALSE; /* set if don't want header */
bool headeronly = FALSE; /* set if only want header */
bool examine = FALSE; /* set if examine a character */
time_t seconds; /* for time of day */
double dtemp; /* for temporary calculations */
initialstate(); /* init globals */
...
void
initialstate()
{
struct stat sb;
Beyond = FALSE;
Marsh = FALSE;
Throne = FALSE;
Changed = FALSE;
Wizard = FALSE;
Timeout = FALSE;
Users = 0;
Windows = FALSE;
Echo = TRUE;
/* setup login name */
if ((Login = getlogin()) == NULL)
Login = getpwuid(getuid())->pw_name;
...
+++ back to main()
/* update some important player statistics */
strcpy(Player.p_login, Login);
+++ how big is Player.p_login?
struct player /* player statistics */
{
double p_experience; /* experience */
double p_level; /* level */
...
char p_login[SZ_LOGIN]; /* login */
};
+++ ok.. so lets look at SZ_LOGIN
#define SZ_LOGIN 9 /* size of login (incl. trailing nul) */
So this code assumes login names are only 8 chars long? Otherwise there is a buffer overflow. The Player structure is in the bss section.