-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2010-009 ================================= Topic: Privilege Handling Errors In larn Version: NetBSD-current: source prior to February 3, 2008 NetBSD 5.0.2: not affected NetBSD 5.0: not affected NetBSD 4.0.1: not affected NetBSD 4.0: affected Severity: Unprivileged Local Users Can Gain Access To "games" Group Fixed: NetBSD-current: Feb 3, 2008 NetBSD-4 branch: Feb 3, 2008 (4.1 would include the fix) NetBSD-4-0 branch: Feb 3, 2008 (4.0.1 includes the fix) Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Larn, a "rogue-like" game, is installed setgid to the "games" group to allow access to shared data and high scores. Properly, only accesses to these objects should be made using the privileges of the "games" group. However, due to improper privilege handling, the game always runs with the privileges of the "games" group, opening up a number of possible ways to allow an unprivileged user to gain improper access to that group. There is also an additional problem fixed by the same patch set: when one wins larn, it sends the user junk mail. This junk mail is prepared in insecure temporary files. It is likely impractical to use this to attack another user who is playing larn; however, it might be possible upon winning larn oneself to exploit it to gain access to the "games" group. Technical Details ================= When games were changed from setuid to setgid (circa 1997) larn was never updated to switch group IDs instead of user IDs. This meant that when it tried to drop to a lower privilege level, nothing happened. Thus the game always runs with access to the games group, and a number of possible actions (most notably, writing out save files) are done with access to the games group. Save files can thus be written into /var/games, possibly overwriting or damaging files belonging to other games. This creates the possibility that ordinarily-harmless weaknesses in other games might be exploited to gain a shell with access to group games. It also allows denial of service against other games. Larn also has the ability to start a sub-shell, but it always runs /bin/csh, which under NetBSD refuses to start when setgid. It is believed that this path is not exploitable. Solutions and Workarounds ========================= Removing the setgid bit from /usr/games/larn is a simple and effective workaround, although larn will not work properly without it. For all affected NetBSD versions, the proper fix requires obtaining updated sources, and rebuilding and installing larn. The fixed sources may be obtained from the NetBSD CVS repository. The fixes for this vulnerability are contained in the following file revisions for each CVS branch: CVS branch file revision ------------- ---------------- ----------- HEAD src/games/larn/bill.c 1.9 HEAD src/games/larn/header.h 1.18 HEAD src/games/larn/main.c 1.21 HEAD src/games/larn/scores.c 1.16 netbsd-4 src/games/larn/bill.c 1.7.16.1 netbsd-4 src/games/larn/header.h 1.16.2.1 netbsd-4 src/games/larn/main.c 1.17.4.1 netbsd-4 src/games/larn/scores.c 1.12.16.1 netbsd-4-0 src/games/larn/bill.c 1.7.26.1 netbsd-4-0 src/games/larn/header.h 1.16.12.1 netbsd-4-0 src/games/larn/main.c 1.17.8.1 netbsd-4-0 src/games/larn/scores.c 1.12.20.1 The following instructions briefly summarize how to update and recompile larn. In these instructions, replace: BRANCH with the appropriate CVS branch (from the above table) FILES with the file names for that branch (from the above table) To update from CVS, re-build, and re-install larn: # cd src # cvs update -d -P -r BRANCH FILES # cd games/larn # make USETOOLS=no cleandir dependall # make USETOOLS=no install For more information on building (oriented towards rebuilding the entire system, however) see: http://www.netbsd.org/guide/en/chap-build.html Thanks To ========= David A. Holland, who found and fixed the problem. Revision History ================ 2010-10-21 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2010-009.txt,v 1.1 2010/10/21 09:02:57 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (NetBSD) iQIcBAEBAgAGBQJMwCWaAAoJEAZJc6xMSnBuMDwP/RJCTIDc2P4YjOCX9QLAzeOd QBwc4a2k3nMqdJCqSx5n0gT6g2H+OFEiT+SMaWlPa5nqLtxp3DjzXcL89Si6e0+u BDLrZAjewCKayasw7CkUDDeAAo4OR06OwkKiPiSsYFm3YBXQWRkDO82/Ni9OJRTa KfMmvHiBfu+FSJ+RuBjbBq5j1CWlBPS9ouY+C0aYo1t6QLYMb/gmgRjGak5HQV71 ze+O/waQVS/axWwQ0bxrMNzOiI978cYFAyBrrNshT990cNdA9wWFWilLWNaKCPl4 dVqdDo7a7lucoRUo2vPYxjflB5wROO0F1jOPq63hQ62HsFrD7XiG7u30jKTfWJe5 gxPa6sL3goe1oS12IWTWrbIYLViYMJTvMUQl9wU5/U1kdIV/xDeR15zqThdI5lQ5 fWHMqPZfhJoPD7/uaLpIcALrW8057LOaezp0ck26rXPLg1o+zlylHulr0gOkDBbn 7TjK/Rkm6gafKJgsmCNnoRYHJb/OQJMUo5ZcwdYRJ5JpPPVqtO071oZG5h5c5waU X90Bf7b3NujZeSwSNK8wVNMNMU/bGtL5AXNO9mZXiaeVv+MwtiHRudcgM4fEZt4P PJfTAa0CKEf6zBe6iFzS5tpbTB0g7uyLt9zBIqOcxzSPP+qHCiHeY6nuifywKbqJ U1uwVbSD1bdPUpyFMSqr =B6eQ -----END PGP SIGNATURE-----