[Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file

bugzilla at redhat.com bugzilla at redhat.com
Fri Apr 4 17:44:35 UTC 2008


Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file
Alias: CVE-2006-1390

https://bugzilla.redhat.com/show_bug.cgi?id=187353





------- Additional Comments From metcalfegreg at qwest.net  2008-04-04 13:44 EST -------
My group count is already up to 60, with one user. IMHO, adding another for some 
random game is not optimal. It only life makes life harder for people writing system 
profiling/hardening/management tools, and systems administrators that would like to 
use them to manage groups of machines. 

A best practice for *writing* SUID/SGID programs is to use those privileges as early as 
possible, then revoke them. If nethack isn't doing that, I have to wonder what other 
problems it might have, and whether I should allow it on the system at all.

I just installed it, and got this error, as I have no /etc/X11/fontpath.d/:
ln: creating symbolic link `/etc/X11/fontpath.d/nethack': No such file or directory
error: %post(nethack-3.4.3-16.fc7.i386) scriptlet failed, exit status 1
Installed: nethack.i386 0:3.4.3-16.fc7
Complete!
So, another problem.

I started it, and find the following files in var/games/nethack:
-rw-rw-r-- 1 root games    0 2008-01-23 12:48 logfile
-rw-rw-r-- 1 root games    0 2008-01-23 12:48 perm
-rw-rw-r-- 1 root games    0 2008-01-23 12:48 record
drwxrwxr-x 2 root games 4096 2008-01-23 12:48 save
I quit, and logfile contains:
3.4.3 0 0 1 1 14 14 0 20080404 20080404 500 Pri Hum Fem Cha gregm,quit

So it does have to write into /var/log, as current designed. Some other characteristics of 
the executable:
$ eu-readelf -l /usr/games/nethack-3.4.3/nethack | fgrep STACK | awk '{ print $7 }'
RW
eu-readelf -d /usr/games/nethack-3.4.3/nethack | fgrep -q TEXTREL exits with 1, so the 
program contains no text relocations. So at least those bits are OK.

But I wonder if this program couldn't have been better written, to use /tmp, then call a 
logger before exit. I just don't like the idea of adding yet another group for some random 
game.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.




More information about the fedora-triage-list mailing list