-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2009-007 ================================= Topic: Buffer overflows in hack(6) Version: NetBSD-current: source prior to June 30, 2009 NetBSD 5.0: affected NetBSD 4.0.1: affected NetBSD 4.0: affected Severity: Unprivileged local users can gain access to "games" group Fixed: NetBSD-current: June 29, 2009 NetBSD-5 branch: June 29, 2009 (5.1 will include the fix) NetBSD-5-0 branch: June 29, 2009 (5.0.1 will include the fix) NetBSD-4 branch: June 29, 2009 (4.1 will include the fix) NetBSD-4-0 branch: June 29, 2009 (4.0.2 will include the fix) Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Hack, a "rogue-like" game, is installed setgid to the "games" group to allow access to shared data and high scores and allow saved games to be stored where they cannot be tampered with. Buffer handling shortcomings allow arbitrary code execution with the privilege of the "games" group, which can then be used to attack other users playing games. Technical Details ================= The gethdate() function contains a stack-based buffer overflow vulnerability that can be exploited by setting the PATH environment variable. The main() function contains a data-segment-based buffer overflow bug attackable in wizard mode by the GENOCIDED environment variable; this may be exploitable via function pointers elsewhere in the data segment. Multiple other string handling weaknesses exist that may or may not be attackable and may or may not be exploitable. Solutions and Workarounds ========================= Removing the setgid bit from /usr/games/hack is a simple and effective workaround, although hack will not work properly without it. For all affected NetBSD versions, the proper fix requires obtaining updated sources, and rebuilding and installing hack. Fixed sources may be obtained from the NetBSD CVS repository. * NetBSD-current: Systems running NetBSD-current dated from before 2009-06-30 should be upgraded to NetBSD-current dated 2009-06-30 or later. * NetBSD 5.0_STABLE and 5.0.0_PATCH: The binary distribution of NetBSD 5.0 is vulnerable. Systems running NetBSD 5.0 sources dated from before 2009-06-30 should be upgraded from NetBSD 5.0 sources dated 2009-06-30 or later. NetBSD 5.0.1 and 5.1 will include the fix. * NetBSD 4.0_STABLE and 4.0.1_PATCH: The binary distribution of NetBSD 4.0 is vulnerable. Systems running NetBSD 4.0 sources dated from before 2009-06-30 should be upgraded from NetBSD 4.0 sources dated 2009-06-30 or later. NetBSD 4.0.2 and 4.1 will include the fix. * For all releases: The following directories need to be updated from the appropriate CVS branch: games/hack To update from CVS, re-build, and re-install hack: # cd src # cvs update -d -P games/hack # cd games/hack # make USETOOLS=no cleandir obj # make USETOOLS=no dependall install This will select the fixes for the branch you have already checked out in your source tree. For more information on building (oriented towards rebuilding the entire system, however) see: http://www.netbsd.org/guide/en/chap-build.html Thanks To ========= David A. Holland found and fixed the problems. Revision History ================ 2009-06-30 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2009-007.txt,v 1.1 2009/06/30 18:48:33 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iQIcBAEBAgAGBQJKSl6pAAoJEAZJc6xMSnBuvToP+gJN7pXD5M1Sd8/lG+bM5DQr nxSAlOzww0gzIJPxvvkYNWooQM3wW2OdvqTrIiN6UMTtAXsuw4UFsnbiwUorj8rZ XexgNO8hK5MyqebpsCwzH7Ofcip5yozBspBcE5bOVXQZcRKrUprvS+Zk9Q141ObV NZ6qY2y9NjRE4lKzXMsxTLQHhFPMVTC+nG4rke4RrFIur11xdT1xIW59iuJExVTs 5eqFE/yOgmVondPCaln830beho3wHIha4obYXYq0+C2xbFzNvNu0+mAIKxkNhxel 902vLMHolzp664mSrKNxJwV2es3ii0NMMGlnGGecIsz+RedvizG2wcdEWCTumLEw jIJY448FsI1a2GKHbOH5N/TieidHbEq81v8H0k2Kkw5B0GlwARsW8iCDVNeGpmKr 0F5Zqy2M0EvNfGykPw+Rd+vU7soid4JFJVlnGoEFt2BbhtMz7XlT8xovy4I4Sgp0 1klYEwB8Y8quipJnN9tmyAX3eVH73s0ycA4mjlSFtsvMZDTU0xr0znC1gaCcWtia gfq1pLgyH1BNgg2TuAon2kGwON2T/FzSoJySSjujWq9LXLKj3ZEhqCRTmQ9m+cHr jpI0Lx4gSxixKlH+ROv6Y/6bmc8+W0JUtHkUIkEtj/PeJ/GBVCBjEOzShCkvep6t qYfYnSqAMzMWrCl6ARb5 =7nGK -----END PGP SIGNATURE-----