|
Date: Sat, 25 Apr 1998 14:36:26 +0100 From: Chris Evans <chris@FERRET.LMH.OX.AC.UK> To: BUGTRAQ@NETSPACE.ORG Subject: Minor hole in "cxhextris" on certain Linux. Hi, [This is a minor problem] On my RedHat Linux systems, cxhextris has a binary called "xhextris", and it runs under the euid "games". -rwsr-xr-x 1 games games 49688 Apr 25 14:02 /usr/X11R6/bin/xhextris A bug in this program will allow local users to subvert the user "games", perhaps using this to then hide their activities (or cheat in the high score table!! :-) Details: The name of the player can optionally be taken from the environment variable "XHEXNAME": xio.c: if ((name = (char *)getenv("XHEXNAME")) == NULL) This can obviously be of an arbitrary length. When a high score is achieved: strcpy(high_scores[i].name, name); This overflows a buffer on the stack of the function main(). At the same time this is fixed, the following should also be fixed: xio.c: #ifdef LOG strcpy(log_message,log_name); log_name can come from getenv("USER") on admittedly rare circumstances. Cheers Chris