Home page logo

bugtraq logo Bugtraq mailing list archives

Small problem in AIX write command: Executes shell
From: Klaus.Kusche () OOE GV AT (DI. Dr. Klaus Kusche)
Date: Fri, 1 Aug 1997 14:21:27 PDT

At least on our AIX 4.1.5, the "write" command for sending messages to
other users doesn't filter the message to be sent w.r.t. shell
metacharacters: Just pipe a "telnet localhost chargen" into "write
somebody", and you will receive error messages saying that a "sh" tries
to execute parts of the text being sent. Modify the input to "write" a
little bit (to contain actual shell commands), and they will be

As far as I can tell, this is a matter of shell metacharacters, not of
buffer overflows (just the first 2 lines of chargen output suffice...).

Basically, I believe the problem is not dangerous: The shell runs with
the permissions of the user calling "write", not with root permissions,
and it is executed on the local host, not the host the write is targeted

* don't trust "write" in restricted user environments (e.g. for operator
messages), they might not be as restricted as you want them to be
* don't make "write" suid (or use it in suid code), or your system is
wide open...

I think this is not related to the "writesrv" bug described in IX69168
(a buffer-overflow-based root exploit in "writesrv", the daemon for
handling "write" requests).

DI. Dr. Klaus Kusche
Oberoesterreichische Landesregierung / Government of Upper Austria
Rechenzentrum / Computing Centre
Smail: Kaerntnerstrasse 16, A-4020 Linz, Austria (Europe)
Phone: +43 732 7720 - 3394   Fax: +43 732 7720 - 3198
Email: Klaus.Kusche () ooe gv at

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]