Date: Wed, 12 Nov 1997 16:30:03 +1100
From: SUID <suid@BOMBER.STEALTH.COM.AU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vunerability in Lizards game

Greetings.

Recently looking through the source of the suid root game called Lizards I
noticed a vunerablity which is incredibly trivial to allow regular users
at the console gain unauthorized root access.

The exploitable code is found in the main portion of the code, on the
second last line in fact:

---
...

   system("clear");
   return EXIT_SUCCESS;
}

---

As this program does not seem anywhere through relinquish root
privilidges, it executes "clear" (supposed to be /usr/bin/clear) as root,
assuming everything is cool. Simple changing of the users PATH environment
variable to something like PATH=.:/usr/games/lizardlib, then creating a
symlink (or a sh script) called "clear" that executes a shell of your
liking, will cause that command to be executed as root when the program
exits. Voila, a root shell.

Of course this requires the game to run smoothly. This game comes with
Slackware 3.4 in the y package.

Lame fix:   chmod -s /usr/games/lizardlib/lizardshi
Better fix: Change the source code, recompile lizards to reference "clear"
            absoloutley.

Regards
suid@stealth.com.au

Date: Mon, 17 Nov 1997 19:30:31 +0000
From: Neil Levine
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Vunerability in Lizards game

On Thu, Nov 13, 1997 at 12:19:34PM -0500, Kragen "Skewed" Sitaker mumbled:
> Yes, but as you point out in your post, programs running with svgalib
> under ioperm maintain an open fd to /dev/mem -- so if one can compromise
> them, then one can get root, patch the kernel without getting root, or
> whatever.

I forwarded the above threads to the author who did try posting onto
this list but they havent appeared so here is his response:
-------------------------------------------------------------------
Yikes! As author (some time ago) of lizards, I'd like to p
a75
oint out
that my install script (which I believe is still distributed in the
archive) did *not* set the user Id of the game to root. I was working
on the assumption that anyone playing SVGAlib games (at a time when
SVGAlib wasn't exactly stable) would (a) not be runing them on an
important machine, and (b) be able to run it via sudo as they were
probably (at the time) the woners of the machine, using
it at home. In the two years since it was written, I haven't
developed any SVGAlib software at all, simply because of the security
implications.
Now that Linux is gaining popularity in the commercial world (our
nameserver is a Linux box), I find it a bit strange that SVGAlib games
are still in distribution anyway.

I'm not sure why Pat Volkerding set it up to install setuid root,
though - that does seem like a bit of a kludge for a major
distribution - but then again, my system("clear") wasn't particularly
elegant either. How about system("/usr/bin/clear")?

John M Dow

--

--------------------------------------------------------------------
Neil Levine                             Yoyo Internet Services
levine@yoyo.org                         http://www.yoyo.org

"For a successful technology, reality must take precedence over
 public relations, for nature cannot be fooled." - Richard Feynman
--------------------------------------------------------------------