[19532] in Athena Bugs
"zwrite", "show" screen fux -- possible (known?) DoS
daemon@ATHENA.MIT.EDU (Usman O Akeju)
Fri Aug 3 13:34:29 2001
Message-Id: <200108031734.NAA22080@department-of-alchemy.mit.edu>
To: bugs@MIT.EDU
Date: Fri, 03 Aug 2001 13:34:18 -0400
From: Usman O Akeju <manus@MIT.EDU>
No, this has nothing to do with Zephyr bombing.. ;]
Anyway, I've noticed how some people send zephyr messages that fill the
recipient's screen with ASCII art by catting a text file and piping it
to zwrite. I've also noticed that if you cat a binary and pipe it to
zwrite, you can really fux a user's screen if they're on Athena via
dialup, or any kind of tty.
You probably already knew that, though.. just log back on, email stopit,
user will be punished (and you know who the user is because that's the
last non-garbled bit of info you see on your screen). BUT, if my
hypothesis is correct, the "bad" user get around this easily by having a
special signature, which could trigger the screen fux without even
having to supply a message. A simple, more elegant exploit for the
first version would look something like this:
manus@localhost% printf '\16' | zwrite -n USER
And to fix the screen (which most people wouldn't know how to do):
manus@localhost% printf '\17' | zwrite -n USER
And I'm sure you could figure out how to do the second, pseudo-anonymous
one.
The same problem comes up if someone sends another user an email message
with the same character in it, and the victim uses the show command to
read their email. The problem could be avoided if show piped everything
to less instead of more.
There are probably lots of ways to screw with that control character,
and possibly others, so maybe an update or patch to zwrite is in order?
And maybe an "alias show 'show \!* | less'" line should be added to
some default startup scripts, or something? Just an observation.
-Usman
