6th Oct 1998 [SBWID-62]
COMMAND
at
SYSTEMS AFFECTED
NetBSD 1.3.2 and earlier, IRIX 6.2, 6.4, 6.5, 6.5.1
PROBLEM
Due to a bug in the at(1) program, any local user can queue any
file on the system for execution by /bin/sh, readable by root. As
at(1) returns errors to the submitter, it is possibly that they
may obtain parts of the file. The at(1) sources use seteuid(2)
to user ID swap between the user and root. at(1) incorrectly was
setting it's cached real and effective user ID to 0 before opening
a filename passed via the -f flag, allowing any file readable by
root to be read as commands to be executed. For example, if at(1)
was called like this:
% at -f /etc/master.passwd now + 1 minute
portions of /etc/master.passwd may be mailed back to the user. In
this example, the security of the passwords in /etc/master.passwd
was compromised.
J.A. Gutierrez tried same on IRIX 6.2 and it seems it works too:
$ at -f /etc/shadow now + 1 minute
-> shadow is mailed to user:
'at' is:
f 23947 91 patchSG0002866.eoe_sw.unix m usr/bin/at
SOLUTION
The patch listed below changes at(1) to not change the cached real
and effective user ID values, but instead, switching to root as
necessary. By removing the `REDUCE_PRIV' call, and calling
`PRIV_START' and `PRIV_END' around the final fchmod(2), security
is obtained. If the patch can not be applied, the following
command should be run as root, to remove the set-user-ID flag from
the at(1) binary:
# chmod u-s /usr/bin/at
Note that this will disable at(1) for normal users. The patch
has been made available for NetBSD 1.3, 1.3.1 and 1.3.2, and can
be found on the NetBSD FTP server:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19980626-at
Patches for IRIX:
OS Version Patch #
---------- -------
IRIX 6.2 3182
IRIX 6.4 3184
IRIX 6.5 3286
IRIX 6.5.1 3286
If you have not received an IRIX 6.5.1m CD for IRIX 6.5, contact
your SGI Support Provider or download the IRIX 6.5.1 Maintenance
Release Stream from http://support.sgi.com/