SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: Local stackbased overflow found for silly Poker v0.25.5 (advisory + poc exploit) Date: Sep 30 2003 10:08PM Author: demz Message-ID: <003b01c3879f$6018e560$0200a8c0@windows1> Local stackbased overflow found in sill Poker v0.25.5 silly Poker contains an $HOME environment variable stack overflow, this can be exploited very simple to execute arbitrary code with gid=games privileges. demz demz c-code net -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 01100011 - code 'security research team' - ---------------------------------------- - - http://www.c-code.net - - Advisory and PoC exploit by: demz // demz c-code net - - Vulnerable source: silly Poker v0.25.5 - - Bug type: Stackoverflow - - Priority: 3 - ---------------------------------------- [01] Description [02] Vulnerable [03] Proof of concept [04] Vendor response [01] Description silly Poker is a simple yet comprehensive player vs. computer console poker game, written in C++. silly Poker contains an $HOME environment variable stack overflow, this can be exploited very simple to execute arbitrary code with gid=games privileges. [02] Vulnerable Vulnerable and exploitable version, tested on Debian 3.1: - silly Poker v0.25.5 Maybe also prior versions are vulnerable. Source can be found at: http://www.colby.edu/personal/k/kmradlof/sillypoker/ [03] Proof of concept peyote:/home/demz/audit$ ./c-sillyPoker silly Poker v0.25.5 local exploit ---------------------------------------- demz @ c-code.net -- sh-2.05a# A proof of concept exploit can be found at: http://www.c-code.net/Releases/Exploits/c-sillyPoker.c [04] Vendor response The vendor is informed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/eLePTfcKihbfHWwRAomtAJ9Ed63AGeVhBZI5D5Tuo9IZC7k8NQCdHwzs DBzstkA7yk/U9wl+S2wssw4= =KeFB -----END PGP SIGNATURE----- [ attachment: (application/octet-stream) ] Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus