Itetris Privileged Arbitrary Command Execution Vulnerability

Itetris, or "Intelligent Tetris", is a clone of the popular Tetris puzzle game for linux systems. The svgalib version of Itetris is installed setuid root so that it may access video hardware when run by a regular user. Itetris contains a vulnerability which may allow unprivileged users to execute arbitrary commands as root.

Itetris uses the system() function to execute gunzip when uncompressing font files. Unfortuntely it does so in a very insecure way -- relying on gunzip being located in directories specified in the PATH environment variable. It is possible to exploit this vulnerability if an attacker sets PATH to include a directory under his/her control in which a "gunzip" is found instead of or before the real location, eg:

PATH=/tmp/hacker:$PATH

Any program with the filename "gunzip" in /tmp/hacker would then be executed with Itetris' effective privileges. This vulnerability can be exploited to gain super user access and completely compromise the victim host.


 

Privacy Statement
Copyright 2010, SecurityFocus