Bugtraq mailing list archives
Re: Solaris /usr/bin/write Vulnerability
From: Konrad Rieck <kr () R0Q CX>
Date: Thu, 18 Jan 2001 18:27:52 +0100
On Wed, Jan 17, 2001 at 09:06:15AM -0300, Pablo Sor wrote:
I have written an exploit for the /usr/bin/write command , this is not a new vulnerability but it has not been fixed at least till Solaris 7 patchs (dont know about Solaris 8). This command contains a buffer overflow in the second argument. If this data exceeds predefined length, inserting two values into the argument it is possible to copy the first one into the memory position pointed by the second one, using this technique it is possible to execute arbitrary commands. I have seen some messages saying that this vulnerability could not be exploited eitherway. this command has sgid tty so I do not think it could generate serious privileges problems.
Hi, it seems that this problem has been fixed on Solaris 8 i86 and Sparc. Some dirty tests proved that Sun implemented a length check for the second argument: kr@gorkie:kr> write root `perl -e 'print "s"x2000'` Terminal name too long. But why not take a look at the Solaris 8 Source? ... It has also been released in order to find (or not find) any security vulnerabilities. Let's go sure. According to the source of write.c the second argument cannot cause an overflow, strlcat() is used to catch the problem. Here is the corresponding part of the strlcat man page "string(3C)". Buffer overflow can be checked as follows: if (strlcat(dst, src, dstsize) >= dstsize) return -1; Regards, Konrad -- Konrad Rieck <kr () r0q cx> Roqefellaz - http://www.r0q.cx, GPG Public Key http://www.r0q.cx/keys/kr.pub -- Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
Current thread:
- Solaris /usr/bin/write Vulnerability Pablo Sor (Jan 17)
- Re: Solaris /usr/bin/write Vulnerability Konrad Rieck (Jan 18)