solaris.write.bof.txt

`Date: Mon, 8 Mar 1999 15:30:36 +0900  
From: [email protected]  
To: [email protected]  
Subject: Solaris "/usr/bin/write" bug  
  
This is my first post to BugTraq  
If this is old, I'm sorry.  
when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something  
interesting.  
It's buffer overflow bug in "/usr/bin/write"  
To ensure, view this command :  
  
( Solaris 2.6 x86 )  
[loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'`  
[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'`  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
xxxxxxxxxxxxxxxxx permission denied  
[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 98'`  
Segmentation fault  
  
( Solaris 2.5.1(2.5) sparc )  
[love]/home/love> write loveyou `perl -e 'print "x" x 79'`  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
permission denied  
[love]/home/love> write loveyou `perl -e 'print "x" x 80'`  
Segmentation Fault  
  
( Solaris 2.6 and 2.7 maybe .. )  
  
bye bye ~ :)  
  
----------------------------------------------------------------------------------  
  
Date: Tue, 9 Mar 1999 17:16:26 +0000  
From: John RIddoch <[email protected]>  
Reply-To: John Riddoch <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
>when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found  
something  
> interesting.  
>It's buffer overflow bug in "/usr/bin/write"  
>To ensure, view this command :  
>  
>( Solaris 2.6 x86 )  
>[loveyou@/user/loveyou/buf]{30}% write loveyou `perl -e 'print "x" x 97'`  
>[loveyou@/user/loveyou/buf]write loveyou `perl -e 'print "x" x 97'`  
>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
>( Solaris 2.6 and 2.7 maybe .. )  
  
This also segfaults under Solaris 2.6 and 7 on SPARC.  
  
I'm not sure how exploitable this is, as it is only sgid tty, which isn't a  
huge problem (but could be nonetheless, I suppose).  
  
--  
John Riddoch Email: [email protected] Telephone: (01224)262730  
Room C4, School of Computer and Mathematical Science  
Robert Gordon University, Aberdeen, AB25 1HG  
I am Homer of Borg. Resistance is Fu... Ooooh! Donuts!  
  
----------------------------------------------------------------------------------  
  
Date: Tue, 9 Mar 1999 21:22:17 -0600  
From: Chris Tobkin <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
> ( Solaris 2.6 and 2.7 maybe .. )  
  
(Solaris 2.7 x86)  
[[email protected]_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 93'`  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
xxxxxxxxxxxxxxxxx permission denied  
[[email protected]_x86](~)9:09pm> write loveyou `perl -e 'print "x" x 94'`  
Segmentation fault  
  
  
(Solaris 2.6 sparc)  
[[email protected]_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 91'`  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
xxxxxxxxxxxxxxx permission denied  
[[email protected]_sparc](~)9:12pm> write loveyou `perl -e 'print "x" x 92'`  
Segmentation fault  
  
Looks like 2.6 for sparc and 2.7 intel have the same problem...  
  
// chris  
[email protected]  
  
*************************************************************************  
Chris Tobkin [email protected]  
Java and Web Services - Academic and Distributed Computing Services - UMN  
-----------------------------------------------------------------------  
Laura: I took a business course at business college--  
Jim: How did that work out?  
Laura: Well, not very well...I had to drop out, it gave me...indigestion.  
- Tennessee Williams - The Glass Menagerie  
*************************************************************************  
  
----------------------------------------------------------------------------------  
  
Date: Tue, 9 Mar 1999 15:45:16 +0000  
From: Dan - Sr. Admin <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
> This is my first post to BugTraq  
> If this is old, I'm sorry.  
> when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something  
> interesting.  
> It's buffer overflow bug in "/usr/bin/write"  
> To ensure, view this command :  
  
[snip]  
  
> ( Solaris 2.6 and 2.7 maybe .. )  
>  
> bye bye ~ :)  
  
Confirmed under Sparc Solaris 2.6.  
  
Although I have no source code to verify this, I would assume the problem  
lies in a sprintf() call (or something similiar) that builds the device to  
open from the tty you specify on the command line.  
  
However, even if this is overflowable into a shell with tty permissions,  
I can see nothing useful coming out of it.  
  
crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0  
  
Those are the permissions on the terminal. The most I can see happening is  
someone writing to my screen when I have messages turned off.  
  
Regards,  
--  
Dan Moschuk ([email protected])  
Senior Systems/Network Administrator  
Globalserve Communications Inc., a Primus Canada Company  
"Be different: conform."  
  
----------------------------------------------------------------------------------  
  
Date: Wed, 10 Mar 1999 23:38:38 +0100  
From: Casper Dik <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
>However, even if this is overflowable into a shell with tty permissions,  
>I can see nothing useful coming out of it.  
>  
>crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0  
>  
>Those are the permissions on the terminal. The most I can see happening is  
>someone writing to my screen when I have messages turned off.  
  
  
No, all that can happen is that someone writes to your screen when you  
have messages *ON*.  
  
  
Write filters these messages for content and prepends a "from user ..."  
etc message and it stops writing when messages are turned off in response  
to write; with a fd to a tty you can continue to write and write arbitrary  
control characters.  
  
Casper  
  
----------------------------------------------------------------------------------  
  
Date: Thu, 11 Mar 1999 10:52:11 +1100  
From: Darren Reed <[email protected]>  
To: [email protected]  
Subject: Re: Solaris "/usr/bin/write" bug  
  
Function call tracing (a new feature of truss) in Solaris 2.7 should be  
able to confirm the location of the problem.  
  
Darren  
  
`