Bug 103186

Summary: VUL-0: Users in group "games" can become root
Product: [Novell Products] SUSE Security Incidents Reporter: Stefan Nordhausen <nordhaus>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: aj, meissner, mls, ro
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard: CVE-2005-3321: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stefan Nordhausen 2005-08-09 21:09:44 UTC 
Since Suse Linux trusts members of the group "games" more than it should, a
member of this group can relatively easy become root. Since many games are
installed SGID games by default, group membership is easy to gain.


In order to become a member of group games you just need to exploit one of the
games that is SGID by default. Certainly many of these programs were never
intended to be SGID. The Tetris clone "ltris" for example will produce this
behaviour:

nordi@nordiputer:/tmp/ltest> HOME=/home/nordi`perl -e 'print "/"x512;'`
nordi@nordiputer:/tmp/ltest> ltris
LTris 1.0.10
[snip....]
Saving highscore chart in: /var/games/
Fatal signal: Segmentation Fault (SDL Parachute Deployed)
nordi@nordiputer:/tmp/ltest>

This is because ltris _trusts_ that $HOME contains meaningful data and uses
fixed sized buffers. Ltris was obviously not designed to be SGID. So group
"games" is easy to get.


The POSTINstall script of the rpm for "methane" contains the following lines:
   touch /var/games/methanescores
   chown root:games /var/games/methanescores
Since chown follows symlinks, a member of group games can chown an arbitrary
file (/var/games is writable for group games). By doing this, he can for example
read /etc/shadow. A very similar bug is in the POSTIN script of gnome-games
(lines 36ff). The PREIN script of geki2 is also looking somewhat fishy.

There is also another possibility for attack by abusing chkstat and temporary
copies of secret files. On my system, I have the following files:

/etc/shadow  /etc/shadow.backup  /etc/shadow.old  /etc/shadow.YaST2save

I assume /etc/shadow.YaST2save will be deleted at some time when YaST2 wants to
make another copy of the shadow file. An attacker can now place a _hardlink_ to
this file at /var/games/phantasia. Note that there is an entry for this file in
/etc/permissions.easy! Nevertheless, chkstat will not chown/chmod this file
because it has 2 hardlinks. But as soon as YaST2 removes its old backup copy,
the hardlink count drops to 1. Now chkstat will make the backup copy of
/etc/shadow readable to the attacker!


The first possibility for attack is easily solved by changing the 3 rpms. For
the second possiblity I think it is easiest to make /var/games be owned by root.
 Then, each package that requires scorefiles in /var/games can bring them in its
rpm and chown it to group games. This way, an attacker cannot play
hardlink/symlink games in /var/games any longer and it will also work against
the first attack.
Comment 1 Ludwig Nussel 2005-08-10 07:42:37 UTC 
Well spotted! It proves once again that there is no such thing as an innocent  
s bit. We'll have to update the permissions and filesystem packages to  
change /var/games to root:root 755 as well as any other package that has a  
group games writeable directory.
Comment 2 Ludwig Nussel 2005-08-10 08:51:04 UTC 
xsok contains /var/games/xsok which is group writeable as well and contains  
files that are changed by the permissions package. That one has to be 
root:root as well.
Comment 3 Ludwig Nussel 2005-08-10 14:03:12 UTC 
After talking with mls we came to the conclusion to fix it the following way:  
  
- /var/games will be root:root 755  
- games should not use world or group writeable directories  
- rpms need to have highscore files as %ghost and create them with  
  test -e /var/games/foo || \  
        install -m 664 -o root -g games /dev/null /var/games/foo  
- install will be patched to be less racy (ie use fchown).  
  
for released distro we need to update permissions and filesystem to  
change /var/games to root:root 755. Since that may break stuff we will first  
test the change with 10.0.
Comment 4 Ludwig Nussel 2005-08-10 15:04:14 UTC 
Ok, discussed again. If the highscore file doesn't change it's md5sum in the 
rpm (e.g. because its initially always zero) the preferred way to package it 
is 
 
%verify(not md5 size mtime) %config(noreplace) 
%attr(664,root,games) /var/games/foo
Comment 5 Ludwig Nussel 2005-09-28 11:35:07 UTC 
Maintenance-Tracker-2408  
  
Will update permissions in sles8, permissions and xmcd in 9.0, permissions  
and filessytem in 9.1-9.3.
Comment 6 Heiko Rommel 2005-10-11 11:13:27 UTC 
SUSE QA: 

After installing the maintenance update on sles8
(edeece9a87d211ef0c08ea0e95918b32, patch-10516) I have

puppis:~ # grep -Er ".games.*(66|77)" /etc/permissions*
/etc/permissions:/var/games/              games:games       0775

This conflicts with Comment #3!
Comment 7 Heiko Rommel 2005-10-11 13:12:52 UTC 
SUSE QA:

Comment #6 applies to the maintenance update for sles9
(cd99cc1034cc89ae4051288a7e0a8b21, patch-10514), too.
Comment 8 Marcus Meissner 2005-10-11 15:16:28 UTC 
I think some internal discussions were not fully tracked in here. 
 
at least the STABLE permissions has this entry: 
------------------------------------------------------------------- 
Fri Sep 30 13:28:00 CEST 2005 - lnussel@suse.de 
 
- add slashes to several directories (#103186) 
- change /var/games to games:games 775 again (#103186) 
 
So that it is /var/games games:games 775 appears intentional by Ludwig. 
 
 
Ludwig will be back on 18.10.2005 and we will wait until he is back for 
further discussion.
Comment 9 Ludwig Nussel 2005-10-18 16:01:17 UTC 
Yes, there is off-line discussion with mls missing, sorry. We determined that the previous suggestion does not fix the problem completely. We now just don't change permissions of any files below /var/games anymore. Therefore it's safe to set it back to 775. For cases where it can't be avoided to change permissions of sub*directories* of world writable directories (/usr/src/packages/*) slashes have been appended to the filenames so chkstat will fail if it finds a file instead.
Comment 10 Thomas Biege 2005-10-20 11:32:17 UTC 
packages approved
Comment 11 Ludwig Nussel 2005-10-20 12:02:35 UTC 
it gets worse with every try to fix it *grmpf*
Comment 12 Ludwig Nussel 2005-10-20 13:56:15 UTC 
new packages and patchinfos submitted
Comment 13 Ludwig Nussel 2005-10-24 12:49:19 UTC 
updates and advisory released
Comment 14 Marcus Meissner 2005-11-08 16:00:50 UTC 
CVE-2005-3321
Comment 15 Thomas Biege 2009-10-13 21:42:55 UTC 
CVE-2005-3321: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Comment 16 Marcus Meissner 2013-01-24 15:05:01 UTC 
making a public bug