Bugtraq mailing list archives
Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program
From: adam () MATH TAU AC IL (Adam Morrison)
Date: Sun, 15 Jun 1997 20:09:41 +0300
Where, exactly? The CERT advisory was talking about commercial systems. The Linux implementation of at(1) is entirely written from scratch.
In <URL:news:4vo77d$gqe () chaos dac neu edu> Gregory Hull <gahull () ccs neu edu> published a r00t advisory about a stack overrun condition in the Solaris 2.5 at(1) program. Indeed, in <URL:news:4vrool$fr9 () mail fwi uva nl> Casper Dik states that The at problem looks more real as there is indeed a buffer overflow in at(1) in 2.5 and later (in 2.4 and before the same buffer overflow exists but the buffer lives in the datasegment, not on the stack so there's no immediate danger. However, this was about the only thing that sorry advisory got right. The SPARC ``egg'' instructions contained therein are a complete crock, and the usage explanation of the faulty ``egg'' is erroneous. I believe that this was (at least partially) acknowledged at the time, in <URL:news:50bu1f$fbd () mail fwi uva nl>, in which Casper Dik writes to Greg Hull, I've asked you several times now to produce proof of your at(1) exploit. I acknowledge that there's a buffer overflow in main() and that it will be fixed; yet as this point I haven't seen any proof that this particular bug is exploitable, I actually have, what I believe to be, proof to the contrary. (If someone else hadn't posted here that the code you posted was bogus, I was tempted to offer $1000 of my own money for an at(1) exploit using the code posted) I do not recall and at(1) patch being released from Sun. The final piece of the puzzle is that this advisory was forwarded to the Best of Security mailing list by Don Framer <swoop () suburbia net>; and the CERT advisory states that ``technical information for this advisory was drawn in part from a posting by Don Farmer to the bugtraq mailing list.'' Close enough. It all fits in this weird way. adam?
Current thread:
- wu-ftpd 2.4.2-beta-13 default UMASK hole, (continued)
- wu-ftpd 2.4.2-beta-13 default UMASK hole Steve VanDevender (Jun 11)
- Re: wu-ftpd 2.4.2-beta-13 default UMASK hole George Staikos (Jun 11)
- Denial of service (qmail-smtpd) Frank DENIS -Jedi/Sector One- (Jun 11)
- qmail-dos-2.c, another denial of service attack Frank DENIS -Jedi/Sector One- (Jun 11)
- DNS abuse Jordi Murgo (Jun 11)
- Solaris x86 buffer overflows jim bresler (Jun 12)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
- Netscape Exploit root (Jun 14)
- Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
- Re: Bug in SGI's /cgi-bin/handler Yaron Yanay (Jun 15)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- sendmail 8.8.6 released Eric Allman (Jun 14)
- Re: Netscape Exploit Roger Espel Llima (Jun 14)
- Re: Netscape Exploit Micah Brandon (Jun 14)
- Re: Netscape Exploit Manoj Kasichainula (Jun 15)
- rshd gives away usernames David Holland (Jun 13)
- Re: rshd gives away usernames Erik Troan (Jun 13)
- Re: rshd gives away usernames Eric (Jun 13)