Forwarded from ☕️ Мерлин заваривает τσάι 🐌
#KingMe attack
An input validation error in the move parser allows remote privilege escalation.
The popular internet chess site lichess.org allows for the import of PGN files, a standard text-based inter-change format for giving the sequence of moves in a game. Moves look like “e4” (move a pawn to the e4 square) or “Qxd3” (queen captures on d3) or “Rcc8” (the rook on the C file moves to c8). When a pawn moves into the last or first rank, it usually promotes to queen, but may legally promote to a bishop, knight, or rook at the player’s option. This preference is specified using the notation g8=B (or N for knight, R for rook, or Q for queen to optionally be explicit). lichess.org does not properly implement this syntax, and allows a move like g8=K, which is not legal chess.
The pawn is promoted to a king. This is a privilege escalation vulnerability, because the king has privileges that the pawn does not have, such as the privilege to be checkmated.
http://tom7.org/chess/cve.pdf
An input validation error in the move parser allows remote privilege escalation.
The popular internet chess site lichess.org allows for the import of PGN files, a standard text-based inter-change format for giving the sequence of moves in a game. Moves look like “e4” (move a pawn to the e4 square) or “Qxd3” (queen captures on d3) or “Rcc8” (the rook on the C file moves to c8). When a pawn moves into the last or first rank, it usually promotes to queen, but may legally promote to a bishop, knight, or rook at the player’s option. This preference is specified using the notation g8=B (or N for knight, R for rook, or Q for queen to optionally be explicit). lichess.org does not properly implement this syntax, and allows a move like g8=K, which is not legal chess.
The pawn is promoted to a king. This is a privilege escalation vulnerability, because the king has privileges that the pawn does not have, such as the privilege to be checkmated.
http://tom7.org/chess/cve.pdf
😁11👍2