COMMAND

    Lizards game

SYSTEMS AFFECTED

    Linux Slackware 3.4

PROBLEM

    'SUID' found following in the  suid root game called Lizards.   He
    noticed a vunerablity which is incredibly trivial to allow regular
    users at the console gain unauthorized root access.

    The exploitable code is found in the main portion of the code,  on
    the second last line in fact:

    ...

        system("clear");
        return EXIT_SUCCESS;
    }

    As this  program does  not seem  anywhere through  relinquish root
    privilidges, it executes  "clear" (supposed to  be /usr/bin/clear)
    as root,  assuming everything  is cool.   Simple changing  of  the
    users PATH environment variable to something like

        PATH=.:/usr/games/lizardlib

    and then creating a symlink  (or a sh script) called  "clear" that
    executes a  shell of  your liking,  will cause  that command to be
    executed as root when the program exits. Voila, a root shell.

    Of course this requires the game to run smoothly. This game  comes
    with Slackware 3.4 in the y package.

SOLUTION

    Quick fix should be:

        chmod -s /usr/games/lizardlib/lizardshi

    However, why is this suid root?  It uses svgalib and the  mistaken
    notion  that  svgalib  requires  programs  setuid root is still in
    every doc and HOWTO about svgalib programming several years  after
    this has been fixed.   After all, what's the  purpose of games  on
    system?  Erase that!