FreeBSD : multiple buffer overflows in xboing (e25566d5-6d3f-11d8-83a4-000a95bc6fae)

This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Steve Kemp reports (in a Debian bug submission) :

Due to improper bounds checking it is possible for a malicious user to
gain a shell with membership group 'games'. (The binary is installed
setgid games).

Environmental variables are used without being bounds-checked in any
way, from the source code :

highscore.c : /* Use the environment variable if it exists */ if ((str
= getenv('XBOING_SCORE_FILE')) != NULL) strcpy(filename, str); else
strcpy(filename, HIGH_SCORE_FILE);

misc.c : if ((ptr = getenv('HOME')) != NULL) (void) strcpy(dest, ptr);

Neither of these checks are boundschecked, and will allow arbitary
shell code to be run.

See also :

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924
http://www.nessus.org/u?ab835bbc

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 4.6
(CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 3.8
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 37706 (freebsd_pkg_e25566d56d3f11d883a4000a95bc6fae.nasl)

Bugtraq ID: 9764

CVE ID: CVE-2004-0149

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now