"at" is vulnerable on Solaris 7 and 8

["Hank Wang" <hywang () iss com tw>]

We found that "at" in Solaris is vulnerable on Solaris 7 and 8
The kind of bug is discussed on Bugtraqid:1634

--<
Generally a program that needs to display a message to the user will obtain
the proper language
specific string from the database using the original message as the search
key and printing the
results using the printf(3) family of functions. By building and installing
a custom messages
database an attacker can control the output of the message retrieval
functions that get feed to the
printf(3) functions.

Bad coding practices and the ability to feed format strings to the later
functions makes it
possible for an attacker to execute arbitrary code as a privileged user
(root) using almost any
SUID program on the vulnerable systems.
> --

When succeeding "at" command, it will return a message:
"commands will be executed using: <shell>\n"
User can create a specified format string to the message for gettext(),
and set the NLSPATH environment variable..

That, user may get the root privilege..
The exploit will release later...

--
Huang-Yu Wang
hank () iss com tw
R&D Team, ISS-TW