[9898] in bugtraq
Re: Solaris "/usr/bin/write" bug
daemon@ATHENA.MIT.EDU (Darren Reed)
Fri Mar 12 15:56:27 1999
Date: Thu, 11 Mar 1999 10:52:11 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: dm@GLOBALSERVE.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990309154516.B89682@globalserve.net> from "Dan - Sr. Admin" at
Mar 9, 99 03:45:16 pm
In some mail from Dan - Sr. Admin, sie said:
>
> > This is my first post to BugTraq
> > If this is old, I'm sorry.
> > when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something
> > interesting.
> > It's buffer overflow bug in "/usr/bin/write"
> > To ensure, view this command :
>
> [snip]
>
> > ( Solaris 2.6 and 2.7 maybe .. )
> >
> > bye bye ~ :)
>
> Confirmed under Sparc Solaris 2.6.
>
> Although I have no source code to verify this, I would assume the problem
> lies in a sprintf() call (or something similiar) that builds the device to
> open from the tty you specify on the command line.
>
> However, even if this is overflowable into a shell with tty permissions,
> I can see nothing useful coming out of it.
>
> crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0
>
> Those are the permissions on the terminal. The most I can see happening is
> someone writing to my screen when I have messages turned off.
Function call tracing (a new feature of truss) in Solaris 2.7 should be
able to confirm the location of the problem.
Darren
