Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Solaris /usr/bin/write Vulnerability
From: Konrad Rieck <kr () R0Q CX>
Date: Thu, 18 Jan 2001 18:27:52 +0100

On Wed, Jan 17, 2001 at 09:06:15AM -0300, Pablo Sor wrote:
I have written an exploit for the /usr/bin/write command , this is not a
new vulnerability but it has not been fixed at least till Solaris 7 patchs
(dont know about Solaris 8).
This command contains a buffer overflow in the second argument. If this
data exceeds predefined length, inserting two values into the argument
it is  possible to copy the first one into the memory position pointed by
the second one, using this technique it is possible to execute arbitrary
commands. I have seen some messages saying that this vulnerability could
not be exploited eitherway.
this command has sgid tty so I do not think it could generate serious
privileges problems.

it seems that this problem has been fixed on Solaris 8 i86 and Sparc. Some
dirty tests proved that Sun implemented a length check for the second

 kr () gorkie:kr> write root `perl -e 'print "s"x2000'`
 Terminal name too long.

But why not take a look at the Solaris 8 Source? ... It has also been
released in order to find (or not find) any security vulnerabilities.
Let's go sure.

According to the source of write.c the second argument cannot cause an
overflow, strlcat() is used to catch the problem.
Here is the corresponding part of the strlcat man page "string(3C)".

     Buffer overflow can be checked as follows:
     if (strlcat(dst, src, dstsize) >= dstsize)
             return -1;


Konrad Rieck <kr () r0q cx>
Roqefellaz - http://www.r0q.cx, GPG Public Key http://www.r0q.cx/keys/kr.pub
--           Fingerprint: 3AA8 CF92 C179 9760 C3B3  1B43 33B6 9221 AFBF 5897

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]