Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

solaris.write.bof.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 48 Views

Buffer overflow vulnerability in Solaris "/usr/bin/write" command discovered on multiple versions.

Code
`Date: Mon, 8 Mar 1999 15:30:36 +0900  
From: [email protected]  
To: [email protected]  
Subject: Solaris "/usr/bin/write" bug  
  
This is my first post to BugTraq  
If this is old, I'm sorry.  
when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something  
interesting.  
It's buffer overflow bug in "/usr/bin/write"  
To ensure, view this command :  
  
( Solaris 2.6 x86 )  
[loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'`  
[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'`  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
xxxxxxxxxxxxxxxxx permission denied  
[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 98'`  
Segmentation fault  
  
( Solaris 2.5.1(2.5) sparc )  
[love]/home/love> write loveyou `perl -e 'print "x" x 79'`  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
permission denied  
[love]/home/love> write loveyou `perl -e 'print "x" x 80'`  
Segmentation Fault  
  
( Solaris 2.6 and 2.7 maybe .. )  
  
bye bye ~ :)  
  
----------------------------------------------------------------------------------  
  
Date: Tue, 9 Mar 1999 17:16:26 +0000  
From: John RIddoch <[email protected]>  
Reply-To: John Riddoch <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
>when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found  
something  
> interesting.  
>It's buffer overflow bug in "/usr/bin/write"  
>To ensure, view this command :  
>  
>( Solaris 2.6 x86 )  
>[loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'`  
>[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'`  
>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
>( Solaris 2.6 and 2.7 maybe .. )  
  
This also segfaults under Solaris 2.6 and 7 on SPARC.  
  
I'm not sure how exploitable this is, as it is only sgid tty, which isn't a  
huge problem (but could be nonetheless, I suppose).  
  
--  
John Riddoch Email: [email protected] Telephone: (01224)262730  
Room C4, School of Computer and Mathematical Science  
Robert Gordon University, Aberdeen, AB25 1HG  
I am Homer of Borg. Resistance is Fu... Ooooh! Donuts!  
  
----------------------------------------------------------------------------------  
  
Date: Tue, 9 Mar 1999 21:22:17 -0600  
From: Chris Tobkin <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
> ( Solaris 2.6 and 2.7 maybe .. )  
  
(Solaris 2.7 x86)  
[[email protected]_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 93'`  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
xxxxxxxxxxxxxxxxx permission denied  
[[email protected]_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 94'`  
Segmentation fault  
  
  
(Solaris 2.6 sparc)  
[[email protected]_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 91'`  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
xxxxxxxxxxxxxxx permission denied  
[[email protected]_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 92'`  
Segmentation fault  
  
Looks like 2.6 for sparc and 2.7 intel have the same problem...  
  
// chris  
[email protected]  
  
*************************************************************************  
Chris Tobkin [email protected]  
Java and Web Services - Academic and Distributed Computing Services - UMN  
-----------------------------------------------------------------------  
Laura: I took a business course at business college--  
Jim: How did that work out?  
Laura: Well, not very well...I had to drop out, it gave me...indigestion.  
- Tennessee Williams - The Glass Menagerie  
*************************************************************************  
  
----------------------------------------------------------------------------------  
  
Date: Tue, 9 Mar 1999 15:45:16 +0000  
From: Dan - Sr. Admin <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
> This is my first post to BugTraq  
> If this is old, I'm sorry.  
> when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something  
> interesting.  
> It's buffer overflow bug in "/usr/bin/write"  
> To ensure, view this command :  
  
[snip]  
  
> ( Solaris 2.6 and 2.7 maybe .. )  
>  
> bye bye ~ :)  
  
Confirmed under Sparc Solaris 2.6.  
  
Although I have no source code to verify this, I would assume the problem  
lies in a sprintf() call (or something similiar) that builds the device to  
open from the tty you specify on the command line.  
  
However, even if this is overflowable into a shell with tty permissions,  
I can see nothing useful coming out of it.  
  
crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0  
  
Those are the permissions on the terminal. The most I can see happening is  
someone writing to my screen when I have messages turned off.  
  
Regards,  
--  
Dan Moschuk ([email protected])  
Senior Systems/Network Administrator  
Globalserve Communications Inc., a Primus Canada Company  
"Be different: conform."  
  
----------------------------------------------------------------------------------  
  
Date: Wed, 10 Mar 1999 23:38:38 +0100  
From: Casper Dik <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
>However, even if this is overflowable into a shell with tty permissions,  
>I can see nothing useful coming out of it.  
>  
>crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0  
>  
>Those are the permissions on the terminal. The most I can see happening is  
>someone writing to my screen when I have messages turned off.  
  
  
No, all that can happen is that someone writes to your screen when you  
have messages *ON*.  
  
  
Write filters these messages for content and prepends a "from user ..."  
etc message and it stops writing when messages are turned off in response  
to write; with a fd to a tty you can continue to write and write arbitrary  
control characters.  
  
Casper  
  
----------------------------------------------------------------------------------  
  
Date: Thu, 11 Mar 1999 10:52:11 +1100  
From: Darren Reed <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
Function call tracing (a new feature of truss) in Solaris 2.7 should be  
able to confirm the location of the problem.  
  
Darren  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
solaris bugbuffer overflowwrite commandsegmentation faultsolaris versions
48