Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8067
HistoryMar 16, 2005 - 12:00 a.m.

DMA[2005-0310a] - 'Frank McIngvale LuxMan buffer overflow'

2005-03-1600:00:00
vulners.com
10

0.0004 Low

EPSS

Percentile

0.4%

JSON

DMA[2005-0310a] - 'Frank McIngvale LuxMan buffer overflow'
Author: Kevin Finisterre
Vendor: [email protected] (broken)
Product: 'luxman'
References: (CAN-2005-0385)
http://www.digitalmunition.com/DMA[2005-0310a].txt
http://www.debian.org/security/2005/dsa-693

Description:
LuxMan is a Pac-Man clone for SVGALIB. It includes color, sound, several
different levels, and difficulty settings. LuxMan also comes with tools
for making your own levels and customizing the game. Woohoo! Lets chomp
some power pellets! I've got pacman fever folks.

The following statement from http://packages.debian.org/stable/games/luxman
led me to audit this package:

"WARNING: This package CONTAINS SETUID ROOT BINARIES. This is a possible
SECURITY RISK. I don't want to tell you not to afraid, but this package is
in Debian since 4 years w/o problems."

Be afraid! Shiver and quake in your boots! Well not really… the author
did a pretty good job at preventing "potential" exploits from happening.
(hp is rubbing off on me). The snippet below is taken from a file included
in the luxman_0.41.orig.tar.gz called README.Security:

----------- snip -----------

[This is perhaps overly cautious of me, but I'd rather be safe.]

LuxMan, like all other programs which use `svgalib', runs
setuid-root. That is, when it starts running, it is running
with root privileges. This means that it could delete all the files
on your hard drive, etc., if it wanted to.

The VERY FIRST thing the program does (after printing a copyright
notice) is to call vga_init(). `vga_init()' is an svgalib routine
which initializes the VGA card and gives up root privileges.

LuxMan NEVER attempts to regain root privileges after this point.

----------- snip -----------

As I stated above the author did a good job at limiting the impact of this
bug. By making a call to vga_init() this bug is pretty much curbed. vga_init()
detects the chipset and gives up supervisor rights immediately.

If we plan to exploit this bug we pretty much only have two options… hope that
the machine is running a super old school version of sgvalib or cross your fingers
for 'security compat' in the config file. If you have neither of these you are
pretty much S.O.L., unless you have some other technique for bypassing vga_init().

Svgalib versions prior to 1.2.11 had a security hole where it would be possible
to regain root privileges even after a vga_init() call. Some programs may
(accidently) rely on the old vga_init behaviour (which was probably due to the
author not knowing about saved uids (which might actually even not have existed in
Linux at that time)). Because of this svgalib includes the option to revert back
to the old behavior. Placing 'security compat' in /etc/vga/libvga.conf or on
debian /etc/vga/libvga.config will reinstate the old behavior.

If either of the above conditions are met exploitation can be done as shown below.

By providing an overly long argument to the '-f' option a fixed buffer will be
overflown and if you were lucky you get a root shell.

kfinisterre@kfinisterre01:~$ id
uid=1000(kfinisterre) gid=1000(kfinisterre) groups=1000(kfinisterre)

kfinisterre@kfinisterre01:~$ ./luxman_ex2.pl
LuxMan v0.41, Copyright (c) 1995 Frank McIngvale
LuxMan comes with ABSOLUTELY NO WARRANTY; see COPYING for details.

You must be the owner of the current console to use svgalib.
Not running in a graphics capable console,
and unable to find one.
Using EGA driver.
svgalib 1.4.3
You must be the owner of the current console to use svgalib.
Not running in a graphics capable console,
and unable to find one.

The frame rate is now set to 1 frames per second.
If the game seems too fast, too slow, or too jerky,
you can adjust this value the `-r' option.

Calibrating delay…-666626
Sound server started [pid:15233]
sh-2.05b# id
uid=0(root) gid=1000(kfinisterre) groups=1000(kfinisterre)

To fix this vulnerability modify util.cc as follows or do an 'apt-get update' if
you are on Debian.

— luxman-0.41/gtools/util.cc-orig Wed Mar 9 20:18:58 2005
+++ luxman-0.41/gtools/util.cc Wed Mar 9 22:21:31 2005
@@ -295,6 +295,9 @@
if ( !strlen( basename ) )
return 0;

  • if ( strlen( basename ) > NAME_MAX )
  •    return 0;
  • /* Try basename */
    if ( resolve_tilde( bname, basename ) == NULL )
    return 0;

Timeline associated with this bug:
03/09/05 Contacted [email protected] and [email protected]
03/09/05 Bug verified by Steve Kemp
03/10/05 [email protected] provides CVE ID
03/14/05 Debian [DSA 693-1] released to address this issue

Related

cve 1
osv 1
cvelist 1
openvas 2
debian 2
nessus 1
nvd 1
cve
cve
CVE-2005-0385
2005-05-02 04:00:00
osv
osv
luxman - buffer overflow
2005-03-14 00:00:00
cvelist
cvelist
CVE-2005-0385
2005-03-17 05:00:00
openvas
openvas
Debian: Security Advisory (DSA-693-1)
2008-01-17 00:00:00
Debian Security Advisory DSA 693-1 (luxman)
2008-01-17 00:00:00
debian
debian
[SECURITY] [DSA 693-1] New luxman packages fix local root exploit
2005-03-14 16:22:59
[SECURITY] [DSA 693-1] New luxman packages fix local root exploit
2005-03-14 16:22:59
nessus
nessus
Debian DSA-693-1 : luxman - buffer overflow
2005-03-15 00:00:00
nvd
nvd
CVE-2005-0385
2005-05-02 04:00:00

0.0004 Low

EPSS

Percentile

0.4%

JSON
Related for SECURITYVULNS:DOC:8067
cve1osv1cvelist1openvas2debian2nessus1nvd1