Re: Small problem in AIX write command: Executes shell

David Holland (dholland@EECS.HARVARD.EDU)
Fri, 01 Aug 1997 14:34:17 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dan Fleisher: "INND causes cancer in laboratory rats (fwd)"
Previous message: Aleph One: "Netscape Communicator Bug"
Maybe in reply to: DI. Dr. Klaus Kusche: "Small problem in AIX write command: Executes shell"

> At least on our AIX 4.1.5, the "write" command for sending messages to
> other users doesn't filter the message to be sent w.r.t. shell
> metacharacters: Just pipe a "telnet localhost chargen" into "write
> somebody", and you will receive error messages saying that a "sh" tries
> to execute parts of the text being sent. Modify the input to "write" a
> little bit (to contain actual shell commands), and they will be
> executed.

This is because some versions of write, apparently including that one,
support shell escapes for the user typing into them.

RTFM. :-)

Now, if write is installed setgid tty (as is customary, though I don't
know about AIX) it'd be interesting to know if the resulting shell
inherited group tty or not.

> I think this is not related to the "writesrv" bug described in IX69168
> (a buffer-overflow-based root exploit in "writesrv", the daemon for
> handling "write" requests).

Off-topic: does anyone have documentation of the network protocol AIX
write uses? Reply in private mail...

--
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino

Next message: Dan Fleisher: "INND causes cancer in laboratory rats (fwd)"
Previous message: Aleph One: "Netscape Communicator Bug"
Maybe in reply to: DI. Dr. Klaus Kusche: "Small problem in AIX write command: Executes shell"