Bugtraq mailing list archives
Small problem in AIX write command: Executes shell
From: Klaus.Kusche () OOE GV AT (DI. Dr. Klaus Kusche)
Date: Fri, 1 Aug 1997 14:21:27 PDT
At least on our AIX 4.1.5, the "write" command for sending messages to other users doesn't filter the message to be sent w.r.t. shell metacharacters: Just pipe a "telnet localhost chargen" into "write somebody", and you will receive error messages saying that a "sh" tries to execute parts of the text being sent. Modify the input to "write" a little bit (to contain actual shell commands), and they will be executed. As far as I can tell, this is a matter of shell metacharacters, not of buffer overflows (just the first 2 lines of chargen output suffice...). Basically, I believe the problem is not dangerous: The shell runs with the permissions of the user calling "write", not with root permissions, and it is executed on the local host, not the host the write is targeted at. However * don't trust "write" in restricted user environments (e.g. for operator messages), they might not be as restricted as you want them to be * don't make "write" suid (or use it in suid code), or your system is wide open... P.S.: I think this is not related to the "writesrv" bug described in IX69168 (a buffer-overflow-based root exploit in "writesrv", the daemon for handling "write" requests). DI. Dr. Klaus Kusche Oberoesterreichische Landesregierung / Government of Upper Austria Rechenzentrum / Computing Centre Smail: Kaerntnerstrasse 16, A-4020 Linz, Austria (Europe) Phone: +43 732 7720 - 3394 Fax: +43 732 7720 - 3198 Email: Klaus.Kusche () ooe gv at
Current thread:
- Re: Small problem in AIX write command: Executes shell David Hedley (Aug 01)
- <Possible follow-ups>
- Small problem in AIX write command: Executes shell DI. Dr. Klaus Kusche (Aug 01)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- comp.sys.sgi.bugs: YET another security alert (sigh) Arthur Hagen (Aug 04)
- comp.sys.sgi.bugs: Re: YET another security alert (sigh) Forwarded by Kari Hurtta (Aug 05)
- CPSR #8: identd Denial of Service Corinne Posse Releases (Aug 04)
- Re: CPSR #8: identd Denial of Service Curt Sampson (Aug 04)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- INND causes cancer in laboratory rats (fwd) Dan Fleisher (Aug 01)
- Re: INND causes cancer in laboratory rats (fwd) thoth () PURPLEFROG COM (Aug 01)
- Bugs in Debian Linux's ircd package Matt (Aug 01)
- SSH LocalForward Kristof Van Damme (Aug 02)
- Security hole in rusers client David Holland (Aug 02)