Home page logo
/

bugtraq logo Bugtraq mailing list archives

Small problem in AIX write command: Executes shell
From: Klaus.Kusche () OOE GV AT (DI. Dr. Klaus Kusche)
Date: Fri, 1 Aug 1997 14:21:27 PDT


At least on our AIX 4.1.5, the "write" command for sending messages to
other users doesn't filter the message to be sent w.r.t. shell
metacharacters: Just pipe a "telnet localhost chargen" into "write
somebody", and you will receive error messages saying that a "sh" tries
to execute parts of the text being sent. Modify the input to "write" a
little bit (to contain actual shell commands), and they will be
executed.

As far as I can tell, this is a matter of shell metacharacters, not of
buffer overflows (just the first 2 lines of chargen output suffice...).

Basically, I believe the problem is not dangerous: The shell runs with
the permissions of the user calling "write", not with root permissions,
and it is executed on the local host, not the host the write is targeted
at.

However
* don't trust "write" in restricted user environments (e.g. for operator
messages), they might not be as restricted as you want them to be
* don't make "write" suid (or use it in suid code), or your system is
wide open...

P.S.:
I think this is not related to the "writesrv" bug described in IX69168
(a buffer-overflow-based root exploit in "writesrv", the daemon for
handling "write" requests).

DI. Dr. Klaus Kusche
Oberoesterreichische Landesregierung / Government of Upper Austria
Rechenzentrum / Computing Centre
Smail: Kaerntnerstrasse 16, A-4020 Linz, Austria (Europe)
Phone: +43 732 7720 - 3394   Fax: +43 732 7720 - 3198
Email: Klaus.Kusche () ooe gv at



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]