Date: Tue, 4 Apr 1995 15:28:14 +0200 (MET DST) From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig) To: freebsd-security@FreeBSD.org Subject: security hole in old versions of at for Linux (fwd) Message-ID: <199504041328.PAA03260@mvmampc66.ciw.uni-karlsruhe.de>
next in thread | raw e-mail | index | archive | help
I sent out the following message yesterday to the linux-security list. The bug I described (for which I also got a full exploitation script, which I'm not releasing at present) appears to be in the current FreeBSD distributions. It would appear that this is the (older) version of at/atrun, version 2.5 or thereabouts, which I released under a BSD-style copyright specifically for inclusion in FreeBSD. Since 2.7a has this bug fixed, it would be advisable to upgrade ASAP. For the record, I give the FreeBSD maintainers explicit permission to slap the same copyright I released their current version under on 2.7a. It can be found in the usual Linux places, such as sunsite.unc.edu. [Please CC: me any reply; I don't subscribe to any FreeBSD list] Thomas > I've just been informed that earlier versions of my at/atrun package > for Linux had a bug which allowed root access for any authorized user > of the system. > > This bug can only be exploited if the user can edit a job he's > submitted to the atrun queue. > > If 'at -V' shows a version earlier than 2.7, or if the directory > /var/spool/atjobs (or, possibly, /usr/spool/atjobs) is world - executable, > you are vulnerable. > > In that case, upgrade your system to at 2.7 or 2.7a immediately. > > In the meantime, changing the permissions of /var/spool/atjobs to 700 > will prevent unauthorized root access; this may also render the > 'at' system unusable. > > Non - vulnerable versions of at have been around for about 10 > months, and have been included in the standard distributions.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504041328.PAA03260>