Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program

From: ig25 () MVMAP66 CIW UNI-KARLSRUHE DE (Thomas Koenig)
Date: Sat, 14 Jun 1997 19:44:58 +0200

The Nolander wrote:

Uhm.. Atleast I have known of this at vulnerability for a while... Even
though it still exists on atleast my Linux box I can't say it's easy
exploitable.. (at complains about garbled time when trying with some "not
nice" stuff)..


Where, exactly?  The CERT advisory was talking about commercial
systems.  The Linux implementation of at(1) is entirely written
from scratch.

There was a "obtain root" hole in earlier versions of
at (somewhere pre 2.7, and not caused by a buffer overrun), plus
an off-by-one error some time ago.  All of these are believed fixed
in 2.9b, the current public version of at.

BTW, "garbled time" is an indication that at could not parse the date
it was handed.
--
Thomas Koenig, Thomas.Koenig () ciw uni-karlsruhe de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.
Previous By Date Next
Previous By Thread Next

Current thread: