OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: SysVinit audit: mesg and wall
From: Tim Robbins (fyrebox3n.gumbynet.org)
Date: Wed Sep 06 2000 - 18:47:52 CDT

On Wed, 6 Sep 2000, Chris Evans wrote:

> Did you send your patches to the maintainer?

A month or so ago I sent a patch that fixed the overflow. The maintainer's
response was that this was not important since wall does not run suid or
sgid. He also seemed to indicate that any user could simulate wall with
code similar to this:

for t in `who | awk '{ print $2 }'`; do echo 'moo' >/dev/$t; done

Which would only work if you were the superuser, in group tty, or users'
terminals were world-writeable. I disagree with that because 1) it is a
bug, and 2) wall runs sgid tty on most systems.

I'll try sending my new set of patches soon, but I feel that they harm
functionality too much. I'll be posting my latest set of patches to the
list soon.

> You'd be surprised what you can do with a single byte overflow sometimes ;-)
>
> Out of interest, under what circumstances is this buffer overflowed? What
> variables are in the vicinity of the 2 byte overflow?

char buf[MAXLEN];
char line[83];
int f, ch;

*snip*

strcat(buf, "\r\n");

Tim