Date: Sat, 27 Jun 1998 20:37:31 +1000
From: security-alert@NETBSD.ORG
To: BUGTRAQ@NETSPACE.ORG
Subject: NetBSD Security Advisory 1998-004: at(1) vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 1998-004
---------------------------------
Topic: Problem with at(1) allows any file to be read.
Version: NetBSD 1.3.2 and earlier. Fixed in NetBSD-current 19980626.
Severity: Local user may be able to read any file.
Abstract
- --------
Due to a bug in the at(1) program, any local user can queue any file on
the system for execution by /bin/sh, readable by root. As at(1) returns
errors to the submitter, it is possibly that they may obtain parts of
the file.
Technical Details
- -----------------
The at(1) sources use seteuid(2) to user ID swap between the user and
root. at(1) incorrectly was setting it's cached real and effective user
ID to 0 before opening a filename passed via the -f flag, allowing any
file readable by root to be read as commands to be executed. For
example, if at(1) was called like this:
% at -f /etc/master.passwd now + 1 minute
portions of /etc/master.passwd may be mailed back to the user. In this
example, the security of the passwords in /etc/master.passwd was
compromised.
Solutions and Workarounds
- -------------------------
The patch listed below changes at(1) to not change the cached real and
effective user ID values, but instead, switching to root as necessary.
By removing the `REDUCE_PRIV' call, and calling `PRIV_START' and
`PRIV_END' around the final fchmod(2), security is obtained.
If the patch can not be applied, the following command should be run as
root, to remove the set-user-ID flag from the at(1) binary:
# chmod u-s /usr/bin/at
Note that this will disable at(1) for normal users.
The patch has been made available for NetBSD 1.3, 1.3.1 and 1.3.2, and
can be found on the NetBSD FTP server:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19980626-at
Thanks To
- ---------
The NetBSD Project would like to thank Wolfgang Rupprecht
<wolfgang@wsrcc.com.> for providing information about this problem,
and matthew green <mrg@eterna.com.au.> for providing a solution.
More Information
- ----------------
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 1998, The NetBSD Foundation, Inc. All Rights Reserved.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
iQCVAwUBNZTIYT5Ru2/4N2IFAQEJvAP7B+6NGxodePtt+/WrOzE/e4hu1PCLS1Le
DXvwLpvfwiaB3zOhIgGcVr1EzgX3O0mmQqy8eWaYjEP41+p1HfRZf7idTXmmqpQY
pkYAeWc5FwZ59mHy4/bYibPNUKTxBY/QMSmhtbI4hKg81Xm5sCQe800h58cDju0s
P3qy30MwaUw=
=B19v
-----END PGP SIGNATURE-----
