Bugtraq mailing list archives

[8lgm]-Advisory-10.UNIX.SCO-at.10-Feb-1992

From: 8lgm () bagpuss demon co uk ([8LGM] Security Team)
Date: Mon, 28 Nov 1994 02:39:30 GMT


This advisory has been sent to:

        comp.security.unix

        BUGTRAQ                 <bugtraq () fc net>
        CERT/CC                 <cert () cert org>
        SCO                     <security-alert () sco com>

===============================================================================
                   [8lgm]-Advisory-10.UNIX.SCO-at.10-Feb-1992


PROGRAM:

        at(1)

VERSION:

        SCO UNIX 3.2v4.2

DESCRIPTION:

        at(1) can be used to execute arbitrary commands as group cron.

IMPACT:

        Any user with access to at(1) can become root.

REPEAT BY:

        Exploit details will not be made available, until a patch is
        provided.

FIX:

        Obtain a patch from SCO.

WORKAROUND:

        Deny access to at(1) for normal users (see man page for details.)

DISCUSSION:

        at(1) was originally designed to run setuid root.  SCOs version of
        at runs setgid cron, but still handles privileges as if running
        euid 0.

FEEDBACK AND CONTACT INFORMATION:

        8lgm-bugs () bagpuss demon co uk           (To report security flaws)

        8lgm-request () bagpuss demon co uk        (Mailing list additions -
                                                 processed automatically;
                                                 just send any message)

        8lgm () bagpuss demon co uk                (Everything else)

        System Administrators are encouraged to contact us for any
        other information they may require about the problems described
        in this advisory.

        We welcome reports about which platforms this flaw does or does
        not exist on.

        NB: 8lgm-bugs () bagpuss demon co uk is intended to be used by
        people wishing to report which platforms/OS's the bugs in our
        advisories are present on.  Please do *not* send information on
        other bugs to this address - report them to your vendor and/or
        comp.security.unix instead.

8LGM MAILING LIST:

        Send any message to 8lgm-request () bagpuss demon co uk and the
        address you mail from will automatically be added to the list.

        If you need to subscribe to an address you cannot mail from
        (eg an alias), send mail to 8lgm () bagpuss demon co uk and request
        to be added to the list.  Due to our mail volume, we appreciate
        it if you can use 8lgm-request instead; thus if you need to
        subscribe an alias, please look into using, say sendmail -f,
        if possible.

8LGM FILESERVER:

        All [8LGM] advisories may be obtained via the [8LGM] fileserver.
        For details, 'echo help | mail 8lgm-fileserver () bagpuss demon co uk'
===========================================================================

Current thread:

Re: udp packet storms Mike Raffety (Oct 31)
- Re: udp packet storms Perry E. Metzger (Oct 31)
  - Re: udp packet storms Darren Reed (Nov 01)
- Re: udp packet storms Steve Simmons (Nov 01)
  - Re: udp packet storms Perry E. Metzger (Nov 01)
  - Re: udp packet storms Tim Newsham (Nov 01)
  - Re: udp packet storms Pete Shipley (Nov 03)
  - bizzare ftp stuff... Tim Scanlon (Nov 03)
- <Possible follow-ups>
- Re: udp packet storms Perry E. Metzger (Oct 31)
- Re: udp packet storms Charles Howes (Oct 31)
- Re: udp packet storms Mike Raffety (Nov 01)

(Thread continues...)