SecuriTeam - GNU Chess Buffer Overflow Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

GNU Chess lets most modern computers play a full game of chess. A security vulnerability in the product allows execution of arbitrary code, due to a buffer overflow vulnerability in the product.

Credit:
The information has been provided by Bernhard Kuemel.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
GNU Chess versions prior to 5.03beta

Immune systems:
GNU Chess version 5.03beta

GNU Chess contains a buffer overflow vulnerability that may lead to arbitrary command execution if an attacker is permitted to send commands to GNU Chess remotely via the Internet.

Example:
$ gdb ./gnuchess
(gdb) run
Starting program: /usr/src/gnuchess/./gnuchess
GNU Chess v5.02

Transposition table: Entries=1024K Size=32768K Pawn hash table: Entries=384K Size=18432K White (1) : AAAAAAAAAAAAAAA1234567890

Program received signal SIGSEGV, Segmentation fault. 0x35343332 in ?? ()

Vulnerable code:
In file cmd.c:

    65 void InputCmd ()
    66 /*************************************************************************
    67 *
    68 * This is the main user command interface driver.
    69 *
    70 ***********************************************************************
   477 /* everything else must be a move */
(Or e.g. malicious input)
   478 else
   479 {
   480 ptr = ValidateMove (cmd);

In file move.c:

   500 leaf * ValidateMove (char *s)
   501 /*************************************************************************
   502 *
   503 * This routine takes a string and check to see if it is a legal move.
   504 * Note. At the moment, we accept 2 types of moves notation.
   505 * 1. e2e4 format. 2. SAN format. (e4)
   506 *
   507 ***********************************************************************
   508 {
   509 short f, t, side, rank, file, fileto;
   510 short piece, kount;

This is the reason for the overflow:
   511 char mvstr[10], *p;
                      ^^
   512 BitBoard b;
   513 leaf *n1, *n2;
   514

   524 p = mvstr;
   525 do
   526 {
   527 if (*s != 'x' && *s != '+' && *s != '=')

The overflow happens here:
   528 *p++ = *s;
                 ^^^^^^^^^^
   529 } while (*s++ != '\0');

You may eliminate the vulnerability by defining

   511 char mvstr[64], *p;

Since you limit the input to 64 bytes in cmd.c:

   120 if (fgets (inputstr, 64, stdin) && inputstr[0])
   121 inputstr[strlen(inputstr)-1] = '\000';

	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities
	APC Switched Rack PDU XSS Vulnerability
	HP-UX Running OpenSSL Unauthorized Data Injection and Denial of Service
	HP OpenView NNM snmpviewer.exe CGI Host Header Stack Overflow Vulnerability
	HP OpenView NNM ovwebsnmpsrv.exe OVwSelection Stack Overflow Vulnerability
	HP-UX Running VRTSweb Remote Execution of Arbitrary Code and Privilege Escalation
	FreeBSD SSL and TLS Session Renegotiation vulnerability
	CoreHTTP Web Server Buffer Overflow Vulnerability
	HP OpenView Network Node Manager DoS Vulnerability
	ToutVirtual VirtualIQ Multiple Vulnerabilities
	Transport Layer Security Renegotiation Vulnerability