Multiple BSD Rogue Game Multiple Overflows

2002-09-28T00:00:00
ID OSVDB:6098
Type osvdb
Reporter stanojr(stanojr@iserver.sk)
Modified 2002-09-28T00:00:00

Description

Vulnerability Description

A local overflow exists in Rogue, a game found on FreeBSD and NetBSD. The game fails to check bounds when reading the saved game file, resulting in a buffer overflow. With a specially crafted request, an attacker can obtain group "games" resulting in a loss of integrity.

Solution Description

Upgrade to NetBSD version 1.6 after the correction date or higher, as it has been reported to fix this vulnerability. In addition, NetBSD has released a patch for some older versions. It is also possible to correct the flaw by implementing the following workaround: chmod g-s /usr/games/rogue

Currently, there are no known upgrades or patches available to correct this issue on FreeBSD. It is possible to correct the flaw by implementing the aforementioned NetBSD workaround on FreeBSD.

Short Description

A local overflow exists in Rogue, a game found on FreeBSD and NetBSD. The game fails to check bounds when reading the saved game file, resulting in a buffer overflow. With a specially crafted request, an attacker can obtain group "games" resulting in a loss of integrity.

References:

Vendor Specific Solution URL: ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-021-rogue.patch Vendor Specific Advisory URL Secunia Advisory ID:7181 Secunia Advisory ID:7252 Other Advisory URL: http://lists.netsys.com/pipermail/full-disclosure/2002-October/002407.html Mail List Post: http://seclists.org/lists/bugtraq/2002/Sep/0312.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-09/0350.html Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103342413220529&w=2 ISS X-Force ID: 10261 Generic Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/instant-rogue-exp.sh Generic Exploit URL: http://archives.neohapsis.com/archives/bugtraq/2002-09/att-0350/01-instant-rogue-exp.sh CVE-2002-1192 Bugtraq ID: 5837