Crafty Game Stack Overflow & Exploit
Copyright © Rosiello Security
http://www.rosiello.org
ADVISORY: http://www.rosiello.org/en/read_bugs.php?18
BACKGROUND: by SecurityTracker
EXPLOIT: http://www.rosiello.org/archivio/crafty.zip
Impact: Execution of arbitrary code via local system, User access via local
system
Version(s): 19.3 and prior versions
Description: A vulnerability was reported in the Crafty game. A local user may
be able to gain elevated privileges on the target system, depending on the
configuration.
It is reported that 'crafty.bin' does not properly check the bounds of
user-supplied command line data. A local user can supply specially crafted
values to trigger a buffer overflow and execute arbitrary code with the
privileges of Crafty. On some Linux distributions, Crafty is installed with set
group id (setgid) 'games' group privileges.
Steve Kemp reported this vulnerability.
Impact: A local user can execute arbitrary code with the privileges of Crafty,
which may be 'games' group privileges on some distributions.
Solution: It appears that no upstream fix was available at the time of this
entry. The vendor notes that Crafty is not installed with set user id (setuid)
or set group id (setgid) privileges, so there would be no security impact.
However, some Linux distributions may install with setuid or setgid privileges.
Vendor URL: www.limunltd.com/crafty/ (Links to External Site)
Cause: Boundary error
Underlying OS: Linux (Any), UNIX (Any)
The exploit contains a bruteforce written in perl to get run time the right
offset of the machine.