Re: Solaris /usr/bin/write Vulnerability

[Konrad Rieck <kr () R0Q CX>]

On Wed, Jan 17, 2001 at 09:06:15AM -0300, Pablo Sor wrote:
> I have written an exploit for the /usr/bin/write command , this is not a
> new vulnerability but it has not been fixed at least till Solaris 7 patchs
> (dont know about Solaris 8).
> This command contains a buffer overflow in the second argument. If this
> data exceeds predefined length, inserting two values into the argument
> it is  possible to copy the first one into the memory position pointed by
> the second one, using this technique it is possible to execute arbitrary
> commands. I have seen some messages saying that this vulnerability could
> not be exploited eitherway.
> this command has sgid tty so I do not think it could generate serious
> privileges problems.

Hi,
it seems that this problem has been fixed on Solaris 8 i86 and Sparc. Some
dirty tests proved that Sun implemented a length check for the second
argument:

 kr@gorkie:kr> write root `perl -e 'print "s"x2000'`
 Terminal name too long.

But why not take a look at the Solaris 8 Source? ... It has also been
released in order to find (or not find) any security vulnerabilities.
Let's go sure.

According to the source of write.c the second argument cannot cause an
overflow, strlcat() is used to catch the problem.
Here is the corresponding part of the strlcat man page "string(3C)".

     Buffer overflow can be checked as follows:
     if (strlcat(dst, src, dstsize) >= dstsize)
             return -1;

Regards,
Konrad

--
Konrad Rieck <kr () r0q cx>
Roqefellaz - http://www.r0q.cx, GPG Public Key http://www.r0q.cx/keys/kr.pub
--           Fingerprint: 3AA8 CF92 C179 9760 C3B3  1B43 33B6 9221 AFBF 5897