Bugtraq mailing list archives

Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program

From: adam () MATH TAU AC IL (Adam Morrison)
Date: Sun, 15 Jun 1997 20:09:41 +0300

Where, exactly?  The CERT advisory was talking about commercial
systems.  The Linux implementation of at(1) is entirely written
from scratch.


In <URL:news:4vo77d$gqe () chaos dac neu edu> Gregory Hull
<gahull () ccs neu edu> published a r00t advisory about a stack overrun
condition in the Solaris 2.5 at(1) program.  Indeed, in
<URL:news:4vrool$fr9 () mail fwi uva nl> Casper Dik states that

        The at problem looks more real as there is indeed a buffer overflow
        in at(1) in 2.5 and later (in 2.4 and before the same buffer
        overflow exists but the buffer lives in the datasegment, not on the
        stack so there's no immediate danger.

However, this was about the only thing that sorry advisory got right.  The
SPARC ``egg'' instructions contained therein are a complete crock, and the
usage explanation of the faulty ``egg'' is erroneous.  I believe that this
was (at least partially) acknowledged at the time, in
<URL:news:50bu1f$fbd () mail fwi uva nl>, in which Casper Dik writes to Greg
Hull,

        I've asked you several times now to produce proof of your at(1)
        exploit.  I acknowledge that there's a buffer overflow in main()
        and that it will be fixed; yet as this point I haven't seen any
        proof that this particular bug is exploitable, I actually have,
        what I believe to be, proof to the contrary.

        (If someone else hadn't posted here that the code you posted was
        bogus, I was tempted to offer $1000 of my own money for an at(1)
        exploit using the code posted)

I do not recall and at(1) patch being released from Sun.

The final piece of the puzzle is that this advisory was forwarded to the
Best of Security mailing list by Don Framer <swoop () suburbia net>; and the
CERT advisory states that ``technical information for this advisory was drawn
in part from a posting by Don Farmer to the bugtraq mailing list.''  Close
enough.

It all fits in this weird way.



                                                adam?

Current thread:

wu-ftpd 2.4.2-beta-13 default UMASK hole, (continued)
- wu-ftpd 2.4.2-beta-13 default UMASK hole Steve VanDevender (Jun 11)
- Re: wu-ftpd 2.4.2-beta-13 default UMASK hole George Staikos (Jun 11)
- Denial of service (qmail-smtpd) Frank DENIS -Jedi/Sector One- (Jun 11)
- qmail-dos-2.c, another denial of service attack Frank DENIS -Jedi/Sector One- (Jun 11)
- DNS abuse Jordi Murgo (Jun 11)
- Solaris x86 buffer overflows jim bresler (Jun 12)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
  - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
    - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
    - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
    - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
    - Netscape Exploit root (Jun 14)
    - Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
    - Re: Bug in SGI's /cgi-bin/handler Yaron Yanay (Jun 15)
    - sendmail 8.8.6 released Eric Allman (Jun 14)
    - Re: Netscape Exploit Roger Espel Llima (Jun 14)
    - Re: Netscape Exploit Micah Brandon (Jun 14)
    - Re: Netscape Exploit Manoj Kasichainula (Jun 15)
    - rshd gives away usernames David Holland (Jun 13)
    - Re: rshd gives away usernames Erik Troan (Jun 13)
    - Re: rshd gives away usernames Eric (Jun 13)

(Thread continues...)