Date: Mon, 8 Mar 1999 15:30:36 +0900 From: bugscan@KOSNET.NET To: BUGTRAQ@netspace.org Subject: Solaris "/usr/bin/write" bug This is my first post to BugTraq If this is old, I'm sorry. when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something interesting. It's buffer overflow bug in "/usr/bin/write" To ensure, view this command : ( Solaris 2.6 x86 ) [loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'` [loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'` xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxx permission denied [loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 98'` Segmentation fault ( Solaris 2.5.1(2.5) sparc ) [love]/home/love> write loveyou `perl -e 'print "x" x 79'` xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx permission denied [love]/home/love> write loveyou `perl -e 'print "x" x 80'` Segmentation Fault ( Solaris 2.6 and 2.7 maybe .. ) bye bye ~ :) ---------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 17:16:26 +0000 From: John RIddoch Reply-To: John Riddoch To: BUGTRAQ@netspace.org Subject: Re: Solaris "/usr/bin/write" bug >when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something > interesting. >It's buffer overflow bug in "/usr/bin/write" >To ensure, view this command : > >( Solaris 2.6 x86 ) >[loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'` >[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'` >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >( Solaris 2.6 and 2.7 maybe .. ) This also segfaults under Solaris 2.6 and 7 on SPARC. I'm not sure how exploitable this is, as it is only sgid tty, which isn't a huge problem (but could be nonetheless, I suppose). -- John Riddoch Email: jr@scms.rgu.ac.uk Telephone: (01224)262730 Room C4, School of Computer and Mathematical Science Robert Gordon University, Aberdeen, AB25 1HG I am Homer of Borg. Resistance is Fu... Ooooh! Donuts! ---------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 21:22:17 -0600 From: Chris Tobkin To: BUGTRAQ@netspace.org Subject: Re: Solaris "/usr/bin/write" bug > ( Solaris 2.6 and 2.7 maybe .. ) (Solaris 2.7 x86) [tobkin@2.7_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 93'` xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxx permission denied [tobkin@2.7_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 94'` Segmentation fault (Solaris 2.6 sparc) [tobkin@2.6_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 91'` xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxx permission denied [tobkin@2.6_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 92'` Segmentation fault Looks like 2.6 for sparc and 2.7 intel have the same problem... // chris tobkin@umn.edu ************************************************************************* Chris Tobkin tobkin@umn.edu Java and Web Services - Academic and Distributed Computing Services - UMN ----------------------------------------------------------------------- Laura: I took a business course at business college-- Jim: How did that work out? Laura: Well, not very well...I had to drop out, it gave me...indigestion. - Tennessee Williams - The Glass Menagerie ************************************************************************* ---------------------------------------------------------------------------------- Date: Tue, 9 Mar 1999 15:45:16 +0000 From: Dan - Sr. Admin To: BUGTRAQ@netspace.org Subject: Re: Solaris "/usr/bin/write" bug > This is my first post to BugTraq > If this is old, I'm sorry. > when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something > interesting. > It's buffer overflow bug in "/usr/bin/write" > To ensure, view this command : [snip] > ( Solaris 2.6 and 2.7 maybe .. ) > > bye bye ~ :) Confirmed under Sparc Solaris 2.6. Although I have no source code to verify this, I would assume the problem lies in a sprintf() call (or something similiar) that builds the device to open from the tty you specify on the command line. However, even if this is overflowable into a shell with tty permissions, I can see nothing useful coming out of it. crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0 Those are the permissions on the terminal. The most I can see happening is someone writing to my screen when I have messages turned off. Regards, -- Dan Moschuk (TFreak!dm@globalserve.net) Senior Systems/Network Administrator Globalserve Communications Inc., a Primus Canada Company "Be different: conform." ---------------------------------------------------------------------------------- Date: Wed, 10 Mar 1999 23:38:38 +0100 From: Casper Dik To: BUGTRAQ@netspace.org Subject: Re: Solaris "/usr/bin/write" bug >However, even if this is overflowable into a shell with tty permissions, >I can see nothing useful coming out of it. > >crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0 > >Those are the permissions on the terminal. The most I can see happening is >someone writing to my screen when I have messages turned off. No, all that can happen is that someone writes to your screen when you have messages *ON*. Write filters these messages for content and prepends a "from user ..." etc message and it stops writing when messages are turned off in response to write; with a fd to a tty you can continue to write and write arbitrary control characters. Casper ---------------------------------------------------------------------------------- Date: Thu, 11 Mar 1999 10:52:11 +1100 From: Darren Reed To: BUGTRAQ@netspace.org Subject: Re: Solaris "/usr/bin/write" bug Function call tracing (a new feature of truss) in Solaris 2.7 should be able to confirm the location of the problem. Darren