@kravietz (!? is a chess annotation for "dubious move")

OCR Output (chars: 2309) 

@abliss
f=" CVE-2018-90017117

Also known as: #KingMe attack Published 2018-12-03
‘Common Vulnerabilities and Exposures Partial embargo until 2019-04-01

Description ‘Reported by t0n7 of East Coast Hacking Organization

An input validation error in the move parser allows remote privilege escalation.

Background

The popular internet chess site lichess.org allows for the import of PGN files, a standard text-based inter-
change format for giving the sequence of moves in a game. Moves look like “e4” (move a pawn to the e4
square) or “Qxd3" (queen captures on d3) or “Roc8" (the rook on the C file moves to 8). When a pawn
moves into the last or first rank, it usually promotes to queen, but may legally promote to a bishop, knight,
or rook at the player's option. This preference is specified using the notation g8=B (or N for knight, R for
rook, or Q for queen to optionally be explicit). lichess.org does
not properly implement this syntax, and allows a move like
.98=K, which is not legal chess.

Impact

The pawn is promoted to a king. This is a privilege escalation
vulnerability, because the king has privileges that the pawn
does not have, such as the privilege to be checkmated,

Scope

The issue is only confirmed during PGN import (e.g. in “analy-
sis board”). In live games, it is possible to use keyboard entry
of moves in PGN notation, but =K is ignored. It is possible that,
these moves are only rejected in the frontend and would be
allowed by the underlying chess engine (if made directly Screenshot. After 5. ... gxh1=K 71, black
through the API, for example). After a second king is intro- Promotes their g pawn to a second king.
duced, the game appears to be quite broken; some parts of the

interface behave as though the game is a draw and no further moves are allowed, but the computer contin-
es to suggest lines in the background. When evaluating this vulnerability in other systems, note that the
king has not yet moved, and so could erroneously be considered eligible to castle (e.g. with the h8 rook), a
potential 0-0-day.

Example exploit

1. f4 5 2. NIB exfa 3. 94 fxg3 4. Ng1 g2 5. Nf3 gxh1=K

Classification - Office Use Only

CVSS v3.0 Severity and Metrics
Vector! AV:/AC:1/PR:M/UI:8/S:0/C:8/1:8/A:N (V3 Legend)
Impact Score: 7.9

Esplostabsiity Score: 8.9 ot

Sign in to participate in the conversation
Mastodon 🔐 privacytools.io

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, many contributions are tax deductible!