DGUX lpsched buffer overflow

[Luciano Miguel Ferreira Rocha <strange () nsk yi org>]

Hi there!

There's a vulnerability in DG's UNIX implementation (DGUX), version R4.20MU06
and MU02 (ia32 arch).

The problem is when a very long, non-existant, printer name is passed to the
program lpsched. It tries to format an error message and then the buffer
overflow occurs...

Data General was told about the vulnerability over almost two years ago (as the
computer department of my university, Universidade do Minho, Portuga). Or at
least I tried to, but didn't get an answer from any email address I tried.

I didn't post this to bugtraq before because I forgot about it. Brownsing from
old archives of mine I found this and decided to post it.

How to exploit:
        - Use the attached exploit program like this:
                ./squash-dgux-x86 29000 /usr/lib/lp/lpsched -S EGG
                (if the 29000 doesn't work, try 27428 or other numbers)
        - Details of the shell code and the vulnerability can be found in
                http://strange.nsk.yi.org/squash-dgux-x86/
        - Unfortunantely I have no longer access to a DGUX system, so I can't
                find more vulnerabilities...

Fix:
        - chmod -s /usr/lib/lp/lpsched
        - switch to a better UNIX like system (sorry, dgux people)

hugs
        Luciano Rocha

Attachment: squash-dgux-x86.c
Description: squash-dgux-x86.c