<<< Date Index >>>     <<< Thread Index >>>

Local stackbased overflow found for silly Poker v0.25.5 (advisory + poc exploit)



Local stackbased overflow found in sill Poker v0.25.5
silly Poker contains an $HOME environment variable stack overflow,
this can be exploited very simple to execute arbitrary code with gid=games
privileges.

demz
demz@xxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

01100011 - code 'security research team'
- ----------------------------------------

- - http://www.c-code.net
- - Advisory and PoC exploit by: demz // demz@xxxxxxxxxx
- - Vulnerable source: silly Poker v0.25.5
- - Bug type: Stackoverflow
- - Priority: 3

- ----------------------------------------

[01] Description
[02] Vulnerable
[03] Proof of concept
[04] Vendor response

[01] Description

     silly Poker is a simple yet comprehensive player vs. computer console 
poker game, written in C++.

     silly Poker contains an $HOME environment variable stack overflow,
     this can be exploited very simple to execute arbitrary code with gid=games 
privileges.

[02] Vulnerable

     Vulnerable and exploitable version, tested on Debian 3.1:
    
     -  silly Poker v0.25.5

     Maybe also prior versions are vulnerable.
     Source can be found at: 
http://www.colby.edu/personal/k/kmradlof/sillypoker/

[03] Proof of concept

     peyote:/home/demz/audit$ ./c-sillyPoker

     silly Poker v0.25.5 local exploit
     ---------------------------------------- demz @ c-code.net --
     sh-2.05a#

     A proof of concept exploit can be found at:
     http://www.c-code.net/Releases/Exploits/c-sillyPoker.c

[04] Vendor response

     The vendor is informed.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/eLePTfcKihbfHWwRAomtAJ9Ed63AGeVhBZI5D5Tuo9IZC7k8NQCdHwzs
DBzstkA7yk/U9wl+S2wssw4=
=KeFB
-----END PGP SIGNATURE-----

Attachment: c-sillyPoker.c
Description: Binary data