Re: Small problem in AIX write command: Executes shell

dhollandEECS.HARVARD.EDU

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Dan Fleisher: "INND causes cancer in laboratory rats (fwd)"
• Previous message: Aleph One: "Netscape Communicator Bug"
• In reply to: DI. Dr. Klaus Kusche: "sendmail -C: Known? Patches? (AIX 4.1.5)"
• Next in thread: DI. Dr. Klaus Kusche: "Re2: Small problem in AIX write command: Executes shell"

 > At least on our AIX 4.1.5, the "write" command for sending messages to
 > other users doesn't filter the message to be sent w.r.t. shell
 > metacharacters: Just pipe a "telnet localhost chargen" into "write
 > somebody", and you will receive error messages saying that a "sh" tries
 > to execute parts of the text being sent. Modify the input to "write" a
 > little bit (to contain actual shell commands), and they will be
 > executed.

This is because some versions of write, apparently including that one,
support shell escapes for the user typing into them.

RTFM. :-)

Now, if write is installed setgid tty (as is customary, though I don't
know about AIX) it'd be interesting to know if the resulting shell
inherited group tty or not.

 > I think this is not related to the "writesrv" bug described in IX69168
 > (a buffer-overflow-based root exploit in "writesrv", the daemon for
 > handling "write" requests).

Off-topic: does anyone have documentation of the network protocol AIX
write uses? Reply in private mail...

--
   - David A. Holland             |    VINO project home page:
     dhollandeecs.harvard.edu    | http://www.eecs.harvard.edu/vino

• Next message: Dan Fleisher: "INND causes cancer in laboratory rats (fwd)"
• Previous message: Aleph One: "Netscape Communicator Bug"
• In reply to: DI. Dr. Klaus Kusche: "sendmail -C: Known? Patches? (AIX 4.1.5)"
• Next in thread: DI. Dr. Klaus Kusche: "Re2: Small problem in AIX write command: Executes shell"