Affects: /usr/bin/at To check if you are potentially vulnerable to this exploit, execute: /usr/bin/at 31337 + vuln If you are vulnerable this will cause: Segmentation fault If not, there will be a message similar to: Garbled time (possibly with some extra information) The problem is caused by a bug in the parser which deallocates the same memory location twice. This can sometimes be exploited, for the uid of "daemon", and due to some other minor problems, may allow root access from there. Attached is an exploit for Redhat 7.0. bash-2.04$ rpm -qf /lib/libc-* glibc-2.2.4-18.7.0.3 bash-2.04$ rpm -qf /usr/bin/at at-3.1.8-12 bash-2.04$ tar -xzf attn.tar.gz bash-2.04$ cd attn bash-2.04$ id uid=500(evil) gid=500(evil) groups=500(evil) bash-2.04$ ./doit.sh woot-2.04# id uid=0(root) gid=0(root) groups=500(evil) woot-2.04# echo "I was just testing something and you need to fix at or some malicious hacker could be evil." |mail -s "Fix /usr/bin/at" root woot-2.04# exit bash-2.04$ -- zen-parse ------------------------------------------------------------------------- 1) If this message was posted to a public forum by zen-parse@gmx.net, it may be redistributed without modification. 2) In any other case the contents of this message is confidential and not to be distributed in any form without express permission from the author. This document may contain Unclassified Controlled Nuclear Information.
Attachment:
attn.tar.gz
Description: Local root exploit (rh 7.0)
