Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Small problem in AIX write command: Executes shell

From: dholland () EECS HARVARD EDU (David Holland)
Date: Fri, 1 Aug 1997 14:34:17 -0400


At least on our AIX 4.1.5, the "write" command for sending messages to
other users doesn't filter the message to be sent w.r.t. shell
metacharacters: Just pipe a "telnet localhost chargen" into "write
somebody", and you will receive error messages saying that a "sh" tries
to execute parts of the text being sent. Modify the input to "write" a
little bit (to contain actual shell commands), and they will be
executed.


This is because some versions of write, apparently including that one,
support shell escapes for the user typing into them.

RTFM.:-)

Now, if write is installed setgid tty (as is customary, though I don't
know about AIX) it'd be interesting to know if the resulting shell
inherited group tty or not.


I think this is not related to the "writesrv" bug described in IX69168
(a buffer-overflow-based root exploit in "writesrv", the daemon for
handling "write" requests).


Off-topic: does anyone have documentation of the network protocol AIX
write uses? Reply in private mail...

--
   - David A. Holland             |    VINO project home page:
     dholland () eecs harvard edu    | http://www.eecs.harvard.edu/vino
Previous By Date Next
Previous By Thread Next

Current thread: