[1397] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: write(1) security problem

daemon@ATHENA.MIT.EDU (Dave G.)
Wed Jan 22 11:03:04 1997

Date: Mon, 20 Jan 1997 07:58:52 -0500 (EST)
From: "Dave G." <daveg@escape.com>
To: David Holland <dholland@eecs.harvard.edu>
cc: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

 
> Some versions (the util-linux version, but not the netwrite or netkit
> versions) of /usr/bin/write have a buffer overrun problem that is
> almost certainly exploitable. Note that this gives access to the tty
> group, but not (directly) root.
> 
> The fix is to change the two sprintfs to snprintfs. Patches have been
> mailed to the maintainer.
 
While I agree that routines that do not bounds check can be dangerous, 
from the looks of things, there is no buffer overrun regarding the 2 
sprintf()s in this code.

Both of the sprintf()s in this code are identical:

>From util-linux-2.6:
269:    (void)sprintf(path, "/dev/%s", tty);
300:    (void)sprintf(path, "/dev/%s", tty);

In order to pass in the evil buffer, one has to get by either 
search_utmp() or utmp_chk().  Both of these check utmp to see if it can 
find a tty & user pair that matches the ones you requested.

[mod: David Holland acknowledges this. -- REW]

Did I miss something?


Dave G.
<daveg@escape.com>
http://www.escape.com/~daveg


home help back first fref pref prev next nref lref last post