[1397] in linux-security and linux-alert archive
[linux-security] Re: write(1) security problem
daemon@ATHENA.MIT.EDU (Dave G.)
Wed Jan 22 11:03:04 1997
Date: Mon, 20 Jan 1997 07:58:52 -0500 (EST)
From: "Dave G." <daveg@escape.com>
To: David Holland <dholland@eecs.harvard.edu>
cc: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
> Some versions (the util-linux version, but not the netwrite or netkit
> versions) of /usr/bin/write have a buffer overrun problem that is
> almost certainly exploitable. Note that this gives access to the tty
> group, but not (directly) root.
>
> The fix is to change the two sprintfs to snprintfs. Patches have been
> mailed to the maintainer.
While I agree that routines that do not bounds check can be dangerous,
from the looks of things, there is no buffer overrun regarding the 2
sprintf()s in this code.
Both of the sprintf()s in this code are identical:
>From util-linux-2.6:
269: (void)sprintf(path, "/dev/%s", tty);
300: (void)sprintf(path, "/dev/%s", tty);
In order to pass in the evil buffer, one has to get by either
search_utmp() or utmp_chk(). Both of these check utmp to see if it can
find a tty & user pair that matches the ones you requested.
[mod: David Holland acknowledges this. -- REW]
Did I miss something?
Dave G.
<daveg@escape.com>
http://www.escape.com/~daveg