OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1997: Re2: Small problem in AIX write command: Executes shell

Re2: Small problem in AIX write command: Executes shell

DI. Dr. Klaus Kusche (Klaus.KuscheOOE.GV.AT)
Mon, 4 Aug 1997 09:06:00 PDT

>  > At least on our AIX 4.1.5, the "write" command for sending messages to
>  > other users doesn't filter the message to be sent w.r.t. shell
>  > metacharacters: Just pipe a "telnet localhost chargen" into "write
>  > somebody", and you will receive error messages saying that a "sh" tries
>  > to execute parts of the text being sent. Modify the input to "write" a
>  > little bit (to contain actual shell commands), and they will be
>  > executed.
>
> This is because some versions of write, apparently including that one,
> support shell escapes for the user typing into them.
>
> RTFM. :-)

Sorry, I apology for not reading the complete man page carefully.
It's there ...

> Now, if write is installed setgid tty (as is customary, though I don't
> know about AIX) it'd be interesting to know if the resulting shell
> inherited group tty or not.

AIX write isn't suid or sgid.

However, if you make it suid or sgid something (e.g. to
allow a nonpriviledged account to send
forced messages even to users having messages switched off),
the shell seems to happily inherit any priviledges you give to write...

> --
>    - David A. Holland             |    VINO project home page:
>      dhollandeecs.harvard.edu    | http://www.eecs.harvard.edu/vino

DI. Dr. Klaus Kusche
Oberoesterreichische Landesregierung / Government of Upper Austria
Rechenzentrum / Computing Centre
Smail: Kaerntnerstrasse 16, A-4020 Linz, Austria (Europe)
Phone: +43 732 7720 - 3394   Fax: +43 732 7720 - 3198
Email: Klaus.Kuscheooe.gv.at