Re: LinCity Buffer Overflow

John Goerzen (jgoerzen@SOUTHWIND.NET)
Tue, 17 Mar 1998 19:35:02 -0600

"T. Freak" <tfreak@JADED.NET> writes:

> Greetings,
>
> While a buffer overflow is blantenly obvious in the code, I don't think it
> is very dangerous. Observe.

Just a little history on this issue. Herbert Xu reported a bug #14553
to Debian's bug tracking system on November 5, 1997 stating that on
line 848 of main.cxx, the s3 variable was too small to hold the home
directory for him, which was large enough to apparently overflow the
buffer. I (the Debian maintainer of the lincity packages)
subsequently patched it to set s3 to (2 * PATH_MAX), unaware of the
full extent of the problem. On 22 Feb 1998, I modified Debian's
package to remove the setuid bit from any installed lincity
executables, suspicious of just this sort of issue (that was Debian
package 1.09-3, for those of you keeping score at home). Therefore,
any Debian system using Debian's lincity package, version 1.09-3 or
later, is not vulnerable to root attack from this bug.

It seems that there is no trivial patch to this program, however.
There are 17 separate occurances of code of the sort
strcpy(s,getenv("HOME")) and, as far as I can tell from a quick
examination, not ONE of them is copying into a large enough buffer.
Additionally, there may well be many other occurances of such
dangerous code with other strcpy calls, any one of which could
potentially lead to a root compromise if lincity is installed setuid.

Therefore, I reccommend immediately performing one of the following:

1. If you are using Debian hamm/2.0, upgrade immediately to lincity
1.09-3.

2. Otherwise, run:

chmod a-s `which lincity`

On Linux FHS-compliant distributions, this would be the same as:

chmod a-s /usr/games/lincity

chmod a-s will immediately remove any setuid bits, negating any root
attack. However, the program could still be induced to dump core
fairly easily I suspect, although I am not sure that such a thing is
of any real danger when running as a normal unpriviledged uid.

BTW, on a side note, there were also some bugs in engine.cxx relating
to type conversion. Debian's package contains Herbert Xu's patch.
That patch can be found via anonymous ftp at:

ftp://ftp.debian.org/debian/hamm/main/source/games, filename is
lincity*.diff.gz. (Note that this diff contains a lot of things not
relevant outside of Debian as well; however, a quick search for
engine.cxx and main.cxx out to yield the specific diffs that would be
useful for any user of lincity.)

To summarize, then:

Debian 1.3.1 (lincity 1.03-2 or 1.09-1) is vulnerable to this issue,
but only if lincity-svga is installed (find out with dpkg -s lincity-svga)
and is setuid root. Debian hamm/pre-2.0 is not vulnerable unless
running an outdated package from before February 22, 1998. Any
hand-installed version from the author's makefile IS vulnerable,
unless the setuid bit was explicitly removed. I do not know of the
status of other distributions that may or may not include this game.

Regards,
John Goerzen

--
John Goerzen                              Southwind Internet Access, Inc.
E-mail: Business, jgoerzen@southwind.net; Personal, jgoerzen@complete.org
Computer Science Dept., Wichita State University,    jgoerzen@cs.twsu.edu
Developer, Debian GNU/Linux                       <http://www.debian.org>