• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

GNU Chess Command Buffer Overflow Vulnerability

GNU Chess is a freely available, open-source Chess engine that will run on most Unix and Linux variants.

GNU Chess does not perform sufficient bounds checking on commands. This is theoretically a security concern depending on the type of interface that is being used with the engine, if any. In situations where data can be supplied from an external source, this may become an exploitable security issue.

If the buffer can be overrun by an attacker via a maliciously constructed command which is passed through an interface, then it is possible to overwrite stack variables (including the return address) with attacker-supplied instructions.