Bugtraq mailing list archives

NetBSD Security Advisory 1998-004: at(1) vulnerabilities.

From: security-alert () NETBSD ORG (security-alert () NETBSD ORG)
Date: Sat, 27 Jun 1998 20:37:31 +1000


-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 1998-004
                 ---------------------------------

Topic:          Problem with at(1) allows any file to be read.
Version:        NetBSD 1.3.2 and earlier.  Fixed in NetBSD-current 19980626.
Severity:       Local user may be able to read any file.


Abstract
- --------

Due to a bug in the at(1) program, any local user can queue any file on
the system for execution by /bin/sh, readable by root.  As at(1) returns
errors to the submitter, it is possibly that they may obtain parts of
the file.



Technical Details
- -----------------

The at(1) sources use seteuid(2) to user ID swap between the user and
root.  at(1) incorrectly was setting it's cached real and effective user
ID to 0 before opening a filename passed via the -f flag, allowing any
file readable by root to be read as commands to be executed.  For
example, if at(1) was called like this:

        % at -f /etc/master.passwd now + 1 minute

portions of /etc/master.passwd may be mailed back to the user.  In this
example, the security of the passwords in /etc/master.passwd was
compromised.


Solutions and Workarounds
- -------------------------

The patch listed below changes at(1) to not change the cached real and
effective user ID values, but instead, switching to root as necessary.
By removing the `REDUCE_PRIV' call, and calling `PRIV_START' and
`PRIV_END' around the final fchmod(2), security is obtained.

If the patch can not be applied, the following command should be run as
root, to remove the set-user-ID flag from the at(1) binary:

        # chmod u-s /usr/bin/at

Note that this will disable at(1) for normal users.

The patch has been made available for NetBSD 1.3, 1.3.1 and 1.3.2, and
can be found on the NetBSD FTP server:
    ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19980626-at


Thanks To
- ---------

The NetBSD Project would like to thank Wolfgang Rupprecht
<wolfgang () wsrcc com> for providing information about this problem,
and matthew green <mrg () eterna com au> for providing a solution.


More Information
- ----------------

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1998, The NetBSD Foundation, Inc.  All Rights Reserved.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBNZTIYT5Ru2/4N2IFAQEJvAP7B+6NGxodePtt+/WrOzE/e4hu1PCLS1Le
DXvwLpvfwiaB3zOhIgGcVr1EzgX3O0mmQqy8eWaYjEP41+p1HfRZf7idTXmmqpQY
pkYAeWc5FwZ59mHy4/bYibPNUKTxBY/QMSmhtbI4hKg81Xm5sCQe800h58cDju0s
P3qy30MwaUw=
=B19v
-----END PGP SIGNATURE-----

Current thread:

Re: QPOPPER problem...., (continued)
- - Re: QPOPPER problem.... Jason Ackley (Jun 27)
    - Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
    - patch: qpopper (plugs another hole too) Miquel van Smoorenburg (Jun 27)
    - Re: QPOPPER problem.... Marco S Hyman (Jun 27)
    - Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
    - More patch ideas for qpopper Aaron D. Gifford (Jun 27)
    - Re: QPOPPER problem.... Jeff Haas (Jun 27)
  - Re: QPOPPER problem.... ONE crude patch... Yiorgos Adamopoulos (Jun 27)
    - Re: QPOPPER problem.... ONE crude patch... Juan Diego Bolanhos Ramirez (Jun 27)
    - Re: QPOPPER problem.... ONE crude patch... Bryan (Jun 27)
- NetBSD Security Advisory 1998-004: at(1) vulnerabilities. security-alert () NETBSD ORG (Jun 27)
- Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Miquel van Smoorenburg (Jun 27)