In some mail from Dan - Sr. Admin, sie said: > > > This is my first post to BugTraq > > If this is old, I'm sorry. > > when playing around with "/usr/bin/write" on Solaris 2.6 x86 , I found something > > interesting. > > It's buffer overflow bug in "/usr/bin/write" > > To ensure, view this command : > > [snip] > > > ( Solaris 2.6 and 2.7 maybe .. ) > > > > bye bye ~ :) > > Confirmed under Sparc Solaris 2.6. > > Although I have no source code to verify this, I would assume the problem > lies in a sprintf() call (or something similiar) that builds the device to > open from the tty you specify on the command line. > > However, even if this is overflowable into a shell with tty permissions, > I can see nothing useful coming out of it. > > crw--w---- 1 dm tty 24, 0 Mar 9 14:39 pts@0:0 > > Those are the permissions on the terminal. The most I can see happening is > someone writing to my screen when I have messages turned off. Function call tracing (a new feature of truss) in Solaris 2.7 should be able to confirm the location of the problem. Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:50 PDT