[9877] in bugtraq
Re: Solaris "/usr/bin/write" bug
daemon@ATHENA.MIT.EDU (Dan - Sr. Admin)
Wed Mar 10 14:50:18 1999
Date: Tue, 9 Mar 1999 15:45:16 +0000
Reply-To: "Dan - Sr. Admin" <dm@GLOBALSERVE.NET>
From: "Dan - Sr. Admin" <dm@GLOBALSERVE.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199903080630.PAA30768@kosnet.net>; from bugscan@KOSNET.NET on
Mon, Mar 08, 1999 at 03:30:36PM +0900
> This is my first post to BugTraq
> If this is old, I'm sorry.
> when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something
> interesting.
> It's buffer overflow bug in "/usr/bin/write"
> To ensure, view this command :
[snip]
> ( Solaris 2.6 and 2.7 maybe .. )
>
> bye bye ~ :)
Confirmed under Sparc Solaris 2.6.
Although I have no source code to verify this, I would assume the problem
lies in a sprintf() call (or something similiar) that builds the device to
open from the tty you specify on the command line.
However, even if this is overflowable into a shell with tty permissions,
I can see nothing useful coming out of it.
crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0
Those are the permissions on the terminal. The most I can see happening is
someone writing to my screen when I have messages turned off.
Regards,
--
Dan Moschuk (TFreak!dm@globalserve.net)
Senior Systems/Network Administrator
Globalserve Communications Inc., a Primus Canada Company
"Be different: conform."
