[9900] in bugtraq
Re: Solaris "/usr/bin/write" bug
daemon@ATHENA.MIT.EDU (Casper Dik)
Fri Mar 12 16:26:54 1999
Date: Wed, 10 Mar 1999 23:38:38 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To: "Dan - Sr. Admin" <dm@GLOBALSERVE.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Tue, 09 Mar 1999 15:45:16 GMT."
<19990309154516.B89682@globalserve.net>
>However, even if this is overflowable into a shell with tty permissions,
>I can see nothing useful coming out of it.
>
>crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0
>
>Those are the permissions on the terminal. The most I can see happening is
>someone writing to my screen when I have messages turned off.
No, all that can happen is that someone writes to your screen when you
have messages *ON*.
Write filters these messages for content and prepends a "from user ..."
etc message and it stops writing when messages are turned off in response
to write; with a fd to a tty you can continue to write and write arbitrary
control characters.
Casper
