Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Typespeed Game Buffer Overflow in Networking Code Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1006987
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 14 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Version(s): 0.4.1 and prior versions
|
Description: A vulnerability was reported in the Typespeed typing game software. A remote user can gain root privileges on the system.
Bazarr reported that a buffer overflow resides in the net_swapscore() function in the 'network.c' file. A remote user can reportedly
overflow the heap and execute arbitrary code when the game is used in network mode.
[Editor's note: The vendor's Readme file
indicates that the network mode is "buggy."]
|
Impact: A remote user can execute arbitrary code with the privileges of the user running Typespeed.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.sicom.fi/~bestis/typespeed.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "bazarr@ziplip.com" <bazarr@ziplip.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 12 Jun 2003 15:10:53 -0700 (PDT)
From: "bazarr@ziplip.com" <bazarr@ziplip.com>
Subject: BAZARR THUG LIFE , DONT READ OR VIRUS INFECT YOU
|
------=_Part_765_15522818.1055455853375
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
read da attached advisory for remote vulnerability in popular used application.
-bazarr
------=_Part_765_15522818.1055455853375
Content-Type: text/plain; name=bazarr-episode-5.txt
Content-Transfer-Encoding: 7bit
Content-Disposition: ATTACHMENT; filename=bazarr-episode-5.txt
/* typespeed server <=v0.4.1 remote root vulnerability! */
/* by: bazarr */
/* bazarr@ziplip.com */
/* bazarr episode #5 */
----------------------
PREFACE
>caddis< i just be messing wid you man relax
--- caddis :No such nick/channel
after reading tutorial on html programmering , i have redesigned website it now cover all features of
real website.
it have many a cool content now!
http://geocities.com/rrazab
after a long series of elaborate emails wid lcamtuf it has become apparent dat it is up to me and him
to save full disclosure from
blackhats.
we are forming a group called FHAB or fire hot asian boys(it a house hold name). at the moment it is
me lcamtuf and a half mexican
from alaska-
who just idles in #!FHAB all day long. tuf in da process of auditing many a opensshd functions while
i be auditing many a setgid uucp
true64 applications.
together we form ultimate team and we able to find all blackhat bugs around da entire globe and stop
dem from hacking anymore openbsd
devlopers.
dis be an advisory for remote typespeed vulnerability on debian x.x and everyone else around da world
.
lets take a look at man page output:
DESCRIPTION
Typespeed gives your fingers' cps (total and correct), typoratio and some points to compare wi
th your friends.
Typespeed's idea is ripped from ztspeed (a dos game made by Zorlim). Idea of the game should b
e clear to anyone, just type
and type it fast, or be a lewser.
Notice: the speed of words going across the screen has been changed in version 0.4.0. Score
s are not comparable with older
versions now. See the README file for more
detailed information.
now many a security researcher may remember dat martin@debian security team released advisory for typ
espeed and he got rid of all
buffer overflows
in typespeed. WRONG. typespeed did have many a command line overflows but a glance at da source code
and i spot elaborate remote buffer
overflow bug.
now we all know dat typespeed was science project for college student who now is off at programming j
ob and dont care about typespeed
anymore.
so he cannot be expected to deliver patch for typespeed. it is up to debian to deliver da patch. i be
glad he got B+ for typespeed
though.
lets take a look at terminal session for a second:
thuglife@debian$ pwd
/home/thuglife/.elm/pornstash
thuglife@debian$ ls -al /usr/games/typespeed
-rwxr-sr-x 1 root games 32092 Jan 4 2002 /usr/games/typespeed
thuglife@debian$
now some of you thinking dat 'oh wow another gid games bug , go audit qpopper or somthing you jackass
'
and to that i say:
shut up high on PCP voice in my head, because dis is remote gid games not local! and i'll audit qpopp
er when i finish UNP (not including
xti part)
...
dis be a remote gid games bug , it 0day too so you be able to hack many a boxes wid it.
now i am off to da land of source code where der be many a nice bugs to take care of and
release back into wild where dey can roam free from blackhat abuse. dis be a copy and paste out of m
y bug file
(it encrypted so dont hack my box to steal dis unless you can break rot96 devloped by me)
#109
file: /usr/games/typespeed , remote bug martin missed
src location: network.c
code snip:
void net_swapscore(int typesock, stats_struct *stat,stats_struct *stat2)
char buf[60];
int x,i;
char *temp,*temp2;
char *number;
sprintf(buf,"SCORE: %d %f %f %f\n",stat->score,stat->speed,stat->totalspee
d,stat->ratio);
i=send(typesock, buf, strlen(buf), 0);
strcpy(buf," "); //HACKLO
G what da hell is dis!
while(1) {
i = recv(typesock, buf, 59, MSG_PEEK);
if (i == -1 && errno != EWOULDBLOCK) {
endcursestuff();
perror("recv()");
exit(1);
}
if (i > 0) {
recv(typesock, buf, strlen(buf) + 1, 0);
if(strstr(buf,"SCORE:") > 0) {
break;
}
}
}
number=malloc(10*sizeof(char)); //HACKLOG dis mallocs ten cuz sizeof(char) garonteed to be 1
byte (it 2 bytes on mips i dink)
temp=malloc(80*sizeof(char)); //HACKLOG dis mallocs 80
i=0;
for(x=7;x<=strlen(buf);x++) {
temp[i]=buf[x]; //HACKLOG temp 80 bytes so it can hold big 59 byte buf
i++;
}
strncpy(number,temp,strcspn(temp," ")); //HACKLOG strncpy so it secure
stat2->score=strtol(number, NULL, 10); //HACKLOG WAIT , STRNCPY BUT IT USE STRCSPN , WHAT
DA HELL IS STRCSPN
free(number);
THE REST BE USELESS
after period of 9 hours studying strcspn() manpage i am able to report dat der be a buffer overflow i
n typespeed.
here copy and paste of strcspn() manpage:
...
size_t strcspn(const char *s, const char *reject);
....
DISCRIPTION:
...
The strcspn() function calculates the length of the initial segment of s which consists entire
ly of characters not in reject.
dis mean dat we can overflow buffer 'number' with buffer 'temp' which is buffer 'buf' and buffer 'buf
' is 60 bytes while buffer number
is 10.
dis mean dat we have heap overflow on our hands and dis is serious issue. ALPHA TANGO WHISKY NINER WE
GOT A CODE ZERO BUFFER OVEFLOW
IN CODE.
see i prove dat just cuz author use strncpy does not mean dat he secure from attack of buf too big at
tack.
----------------------
PATCH
too many a bugs in typespeed to patch dis year , sorry!
but if you really want to den go talk to martin , it his job not mine!
i just report da bugs not patch dem, i am like mean bus driver i wont help you if im on my lunch brea
k!
----------------------
XPLOIT
it possible to code xploit using small read code but i not wasting time on dis sorry.
----------------------
VENDORS NOTIFYED
dis aint my job!
----------------------
VENDORS VULNERABLE
debian 3.0 - default install!#$
FreeBSD - ports?
NetBSD - ports?
OpenBSD - ports?
all user who have typespeed installed. (whole globe)
----------------------
ADVANCE WARNING
irix you in trouble in next episode(lsd not only kid on block wid commerical unix!)
would you belive dat der has been patches buy deb team wich actually added locally xploitable bugs to
gain root on multiple distros
wid?
it may be too early in bazarr season to discuss dis issue , sorry! it confidential!
debian be a great gnu linux distro despite security holes. it wonderful. i use it forever.
----------------------
GREETS
irc-bazarr - hello der fake bazarr's , i know you must like me very much to imposter me so i give you
a greet.
remember dat da real bazarr (me) NEVER uses public irc under name 'bazarr'. i am sorry for abuse caus
ed by fake bazarrs
but dat aint me sorry. fake bazarrs include: some guy from free shell provider and bell somthing.
yourname - send me email and i pick a random name to be put in here!
realbazarr - it amazing dat young boy wid twinkle in his eye and foot in his ass can gain so much fam
e so quickly.
documentry - im sad to report dat ring member documentry has to come to an end because dave censor to
o much.
dat mean you missing many a cool ring member captures such as da palmers capture which prove he a wil
d one.
*palmers* i cannot get rid of the impression that you are the only one who knows about your ring
>palmers< ok you playing hard ball
>palmers< i can be your best friend or your worst enemy
>palmers< its a long cold road to travel down
*palmers* oh, what do you mean by that?
>palmers< nothing i just kidding!
----------------------
BYE
remember dat i am constantly working on more and more bleeding edge security vulnerablitys for dis co
mmuntity.
it a change from my-hello-world-ftpd fmt string and cross site scripting vulnerabilitys reported by 2
4 year old fl4ppyw1lly@hotmail.com.
i be exposing more buffer too big attacks , int too big attacks , the revolutionary int too small att
ack, and the very private
size_t -1 attack which will be discussed in detail very very soon in a paper i be writing intitled "
Is my buffer too small?" and
will be placed in /misc on my wonderful website , so plz check dat often!
bye guys i have to go now it has been fun. though it time for me to
clean my room and feed my ginnie pig named fuzbal , the class let me take him home for a week,
but i never give him back. never.
-bazarr
------=_Part_765_15522818.1055455853375--
|
|
Go to the Top of This SecurityTracker Archive Page
|
