From owner-freebsd-security Tue Apr 4 06:29:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id GAA12471 for security-outgoing; Tue, 4 Apr 1995 06:29:08 -0700 Received: from nz11.rz.uni-karlsruhe.de (nz11.rz.uni-karlsruhe.de [129.13.64.7]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id GAA12464 for ; Tue, 4 Apr 1995 06:28:55 -0700 Received: from mvmampc66.ciw.uni-karlsruhe.de by nz11.rz.uni-karlsruhe.de with SMTP (PP); Tue, 4 Apr 1995 15:28:23 +0200 Received: (from ig25@localhost) by mvmampc66.ciw.uni-karlsruhe.de (8.6.9/8.6.9) id PAA03260 for freebsd-security@freebsd.org; Tue, 4 Apr 1995 15:28:15 +0200 Message-Id: <199504041328.PAA03260@mvmampc66.ciw.uni-karlsruhe.de> Subject: security hole in old versions of at for Linux (fwd) To: freebsd-security@FreeBSD.org Date: Tue, 4 Apr 1995 15:28:14 +0200 (MET DST) From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1555 Sender: security-owner@FreeBSD.org Precedence: bulk I sent out the following message yesterday to the linux-security list. The bug I described (for which I also got a full exploitation script, which I'm not releasing at present) appears to be in the current FreeBSD distributions. It would appear that this is the (older) version of at/atrun, version 2.5 or thereabouts, which I released under a BSD-style copyright specifically for inclusion in FreeBSD. Since 2.7a has this bug fixed, it would be advisable to upgrade ASAP. For the record, I give the FreeBSD maintainers explicit permission to slap the same copyright I released their current version under on 2.7a. It can be found in the usual Linux places, such as sunsite.unc.edu. [Please CC: me any reply; I don't subscribe to any FreeBSD list] Thomas > I've just been informed that earlier versions of my at/atrun package > for Linux had a bug which allowed root access for any authorized user > of the system. > > This bug can only be exploited if the user can edit a job he's > submitted to the atrun queue. > > If 'at -V' shows a version earlier than 2.7, or if the directory > /var/spool/atjobs (or, possibly, /usr/spool/atjobs) is world - executable, > you are vulnerable. > > In that case, upgrade your system to at 2.7 or 2.7a immediately. > > In the meantime, changing the permissions of /var/spool/atjobs to 700 > will prevent unauthorized root access; this may also render the > 'at' system unusable. > > Non - vulnerable versions of at have been around for about 10 > months, and have been included in the standard distributions.