[5094] in bugtraq
Re2: Small problem in AIX write command: Executes shell
daemon@ATHENA.MIT.EDU (DI. Dr. Klaus Kusche)
Mon Aug 4 10:14:35 1997
Date: Mon, 4 Aug 1997 09:06:00 PDT
Reply-To: "DI. Dr. Klaus Kusche" <Klaus.Kusche@OOE.GV.AT>
From: "DI. Dr. Klaus Kusche" <Klaus.Kusche@OOE.GV.AT>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199708011834.OAA15053@burgundy.eecs.harvard.edu>
> > At least on our AIX 4.1.5, the "write" command for sending messages to
> > other users doesn't filter the message to be sent w.r.t. shell
> > metacharacters: Just pipe a "telnet localhost chargen" into "write
> > somebody", and you will receive error messages saying that a "sh" tries
> > to execute parts of the text being sent. Modify the input to "write" a
> > little bit (to contain actual shell commands), and they will be
> > executed.
>
> This is because some versions of write, apparently including that one,
> support shell escapes for the user typing into them.
>
> RTFM. :-)
Sorry, I apology for not reading the complete man page carefully.
It's there ...
> Now, if write is installed setgid tty (as is customary, though I don't
> know about AIX) it'd be interesting to know if the resulting shell
> inherited group tty or not.
AIX write isn't suid or sgid.
However, if you make it suid or sgid something (e.g. to
allow a nonpriviledged account to send
forced messages even to users having messages switched off),
the shell seems to happily inherit any priviledges you give to write...
> --
> - David A. Holland | VINO project home page:
> dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino
DI. Dr. Klaus Kusche
Oberoesterreichische Landesregierung / Government of Upper Austria
Rechenzentrum / Computing Centre
Smail: Kaerntnerstrasse 16, A-4020 Linz, Austria (Europe)
Phone: +43 732 7720 - 3394 Fax: +43 732 7720 - 3198
Email: Klaus.Kusche@ooe.gv.at
