Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program

Rick Byers (rickb@IAW.ON.CA)
Thu, 12 Jun 1997 17:53:05 -0400

Does anyone know where exactly this buffer overflow is? I want to see if
our OS is vulnerable or not. I can't find anything from a quick
inspection, but I can't be sure.

Thanks,
Rick

On Thu, 12 Jun 1997, Aleph One wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> =============================================================================
> CERT* Advisory CA-97.18
> Original issue date: June 12, 1997
> Last revised: --
>
> Topic: Vulnerability in the at(1) program
> - -----------------------------------------------------------------------------
> The CERT Coordination Center has received reports of a buffer overflow
> condition in some versions of the at(1) program. By carefully specifying the
> data that overflows this buffer, any user can execute arbitrary commands as
> root.
>
> The CERT/CC team recommends installing a vendor patch if one is available
> (see Section III.A). Until you can do so, we recommend disabling at(1) (see
> Section III.B).
>
> We will update this advisory as we receive additional information. Please
> check advisory files regularly for updates that relate to your site.
>
> - -----------------------------------------------------------------------------
>
> I. Description
>
> The at(1) program can be used by local users to schedule commands to be
> executed at a later time. When those commands are run, they are run as
> the user who originally ran at(1). That user will be referred to as the
> scheduling user.
>
> As a precaution, the scheduling user's list of commands is stored in a
> file in a directory that is not writable by other users. The file's
> ownership is changed to that of the scheduling user, and that
> information is used to define the identity of the process that runs the
> commands when the appointed time arrives. These measures are intended
> to prevent other users from changing the scheduling user's list of
> commands or creating new lists to be executed as another user. To
> achieve this additional level of security, the at(1) program runs as
> set-user-id root.
>
> Some versions of at(1) contain a programming defect that can result in a
> buffer local to at(1) being overflowed. Through the careful specification
> of the data that overflows this buffer, arbitrary commands can be executed
> with the identity of at(1) process, root in this case.
>
> II. Impact
>
> Any user with an account on a system that contains a defective version
> of at(1) can execute programs as root.
>
> III. Solution
>
> A. Install a patch from your vendor
>
> Below is a list of vendors who have provided information about
> at. Details are in Appendix A of this advisory; we will update
> the appendix as we receive more information. If your vendor's
> name is not on this list, the CERT/CC did not hear from that
> vendor. Please contact your vendor directly.
>
> Cray Research - A Silicon Graphics Company
> Hewlett-Packard Company
> IBM Corporation
> Santa Cruz Operation, Inc. (SCO)
> Silicon Graphics, Inc.
> Sun Microsystems, Inc.
>
>
> B. Until you are able to install the appropriate patch, we recommend
> the following workaround:
>
> Turn off at(1) by setting its mode to 0. Do the following as
> root:
>
> # chmod 0 /usr/bin/at
>
> Note that the location of at(1) varies from system to system.
> Consult your system's documentation for the correct location.
>
> After you turn off the at(1) command, users will not be able to use
> it. As an alternative to at(1), consider using the crontab(1)
> command if your system provides it.
>
>
> ...........................................................................
>
> Appendix A - Vendor Information
>
> Below is a list of the vendors who have provided information for this
> advisory. We will update this appendix as we receive additional information.
> If you do not see your vendor's name, the CERT/CC did not hear from that
> vendor. Please contact the vendor directly.
>
> Cray Research - A Silicon Graphics Company
> ==========================================
> Neither Unicos nor Unicos/mk is believed to be vulnerable.
>
> Hewlett-Packard Company
> =======================
> Hewlett Packard is currently investigating the problem. We will update this
> advisory through the CERT/CC when the investigation is complete.
>
> IBM Corporation
> ===============
> See the appropriate release below to determine your action.
>
>
> AIX 3.2
> -------
> Apply the following fixes to your system:
>
> PTF - U443452 U443486 U444191 U444206 U444213 U444243
> APAR - IX60796
>
> To determine if you have these PTFs on your system, run the following
> commands:
>
> lslpp -lB U443452 U443486 U444191 U444206 U444213 U444243
>
>
> AIX 4.1
> -------
> Apply the following fixes to your system:
>
> APAR - IX60894
> APAR - IX60890
>
> To determine if you have this APAR on your system, run the following
> commands:
>
> instfix -ik IX60894
> instfix -ik IX60890
>
> Or run the following commands:
>
> lslpp -h bos.rte.cron
> lslpp -h bos.rte.libc
>
> Your version of bos.rte.cron should be 4.1.4.8 or later.
> Your version of bos.rte.libc should be 4.1.4.18 or later.
>
>
> AIX 4.2
> -------
> Apply the following fixes to your system:
>
> APAR - IX60892
> APAR - IX61125
>
> To determine if you have this APAR on your system, run the following
> commands:
>
> instfix -ik IX60892
> instfix -ik IX61125
>
> Or run the following commands:
>
> lslpp -h bos.rte.cron
> lslpp -h bos.rte.libc
>
> Your version of bos.rte.cron should be 4.2.0.1 or later.
> Your version of bos.rte.libc should be 4.2.0.5 or later.
>
>
> To Order
> --------
> APARs may be ordered using Electronic Fix Distribution (via FixDist)
> or from the IBM Support Center. For more information on FixDist,
> reference URL:
>
> http://service.software.ibm.com/aixsupport/
>
> or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".
>
>
> IBM and AIX are registered trademarks of International Business Machines
> Corporation.
>
>
> Santa Cruz Operation, Inc. (SCO)
> ================================
> All SCO operating systems are vulnerable. SCO has made an interim fix
> available for anonymous ftp:
>
> ftp://ftp.sco.com/SSE/sse007.ltr.Z - cover letter
> ftp://ftp.sco.com/SSE/sse007.tar.Z - replacement binaries
>
> The fix includes binaries for the following SCO operating systems:
>
> - SCO CMW+ 3.0
> - SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4
> - SCO OpenServer 5.0
> - SCO UnixWare 2.1
>
>
> Silicon Graphics, Inc.
> ======================
> At this time, Silicon Graphics does not have any public information
> for the at(1) issue. Silicon Graphics has communicated with CERT
> and other external security parties and is actively investigating
> this issue. When more Silicon Graphics information (including any
> possible patches) is available for release, that information will
> be released via the SGI security mailing list, wiretap.
>
> For subscribing to the wiretap mailing list and other SGI security
> related information, please refer to the Silicon Graphics Security
> Headquarters website located at:
>
> http://www.sgi.com/Support/Secur/security.html
>
>
> Sun Microsystems, Inc.
> ======================
> Sun will be producing patches.
>
>
> - -----------------------------------------------------------------------------
> Technical information for this advisory was drawn in part from a posting by
> Don Farmer to the bugtraq mailing list. Thanks to Wolfgang Ley of DFN-CERT for
> his help in developing this advisory.
> - -----------------------------------------------------------------------------
>
> If you believe that your system has been compromised, contact the CERT
> Coordination Center or your representative in the Forum of Incident Response
> and Security Teams (see http://www.first.org/team-info).
>
>
> CERT/CC Contact Information
> - ----------------------------
> Email cert@cert.org
>
> Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
> and are on call for emergencies during other hours.
>
> Fax +1 412-268-6989
>
> Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
> Using encryption
> We strongly urge you to encrypt sensitive information sent by email. We can
> support a shared DES key or PGP. Contact the CERT/CC for more information.
> Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
> Getting security information
> CERT publications and other security information are available from
> http://www.cert.org/
> ftp://info.cert.org/pub/
>
> CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
> To be added to our mailing list for advisories and bulletins, send
> email to
> cert-advisory-request@cert.org
> In the subject line, type
> SUBSCRIBE your-email-address
>
> - ---------------------------------------------------------------------------
> Copyright 1997 Carnegie Mellon University
> This material may be reproduced and distributed without permission provided
> it is used for non-commercial purposes and the copyright statement is
> included.
>
> * Registered U.S. Patent and Trademark Office.
> - ---------------------------------------------------------------------------
>
> This file: ftp://info.cert.org/pub/cert_advisories/CA-97.18.at
> http://www.cert.org
> click on "CERT Advisories"
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Revision history
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBM58W/XVP+x0t4w7BAQENNgP9F4W4ovseXJAZ6miatMKFE1isfqcFcXkK
> w+twOwVU/qNdYGxAZXE6R539np3Q5GP0KZDjDtZTYPi3znYXxCuNkzA3PxlUYcnd
> l3LosnBxfIX7TqxqNkp5x+dsKUgniB+2nlCi+yx5S46ESVJA4KddGlpoh+AR4lL6
> /ZrIOTtzias=
> =xXkH
> -----END PGP SIGNATURE-----
>

=========================================================================
Rick Byers Internet Access Worldwide
rickb@iaw.on.ca System Admin, Tech Support
Welland, Ontario, Canada (905)714-1400
http://www.iaw.on.ca/rickb/ http://www.iaw.on.ca/