Subject: NetBSD Security Advisory 1998-004: at(1) vulnerabilities.
To: None <netbsd-announce@NetBSD.ORG, tech-security@NetBSD.ORG, bugtraq@netspace.org>
From: <>
List: netbsd-announce
Date: 06/27/1998 20:37:31
-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 1998-004
                 ---------------------------------

Topic:		Problem with at(1) allows any file to be read.
Version:	NetBSD 1.3.2 and earlier.  Fixed in NetBSD-current 19980626.
Severity:	Local user may be able to read any file.


Abstract
- --------

Due to a bug in the at(1) program, any local user can queue any file on
the system for execution by /bin/sh, readable by root.  As at(1) returns
errors to the submitter, it is possibly that they may obtain parts of
the file.



Technical Details
- -----------------

The at(1) sources use seteuid(2) to user ID swap between the user and
root.  at(1) incorrectly was setting it's cached real and effective user
ID to 0 before opening a filename passed via the -f flag, allowing any
file readable by root to be read as commands to be executed.  For
example, if at(1) was called like this:

	% at -f /etc/master.passwd now + 1 minute

portions of /etc/master.passwd may be mailed back to the user.  In this
example, the security of the passwords in /etc/master.passwd was
compromised.


Solutions and Workarounds
- -------------------------

The patch listed below changes at(1) to not change the cached real and
effective user ID values, but instead, switching to root as necessary.
By removing the `REDUCE_PRIV' call, and calling `PRIV_START' and
`PRIV_END' around the final fchmod(2), security is obtained.

If the patch can not be applied, the following command should be run as
root, to remove the set-user-ID flag from the at(1) binary:

	# chmod u-s /usr/bin/at

Note that this will disable at(1) for normal users.

The patch has been made available for NetBSD 1.3, 1.3.1 and 1.3.2, and
can be found on the NetBSD FTP server:
    ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19980626-at


Thanks To
- ---------

The NetBSD Project would like to thank Wolfgang Rupprecht
<wolfgang@wsrcc.com> for providing information about this problem,
and matthew green <mrg@eterna.com.au> for providing a solution.


More Information
- ----------------

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1998, The NetBSD Foundation, Inc.  All Rights Reserved.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBNZTIYT5Ru2/4N2IFAQEJvAP7B+6NGxodePtt+/WrOzE/e4hu1PCLS1Le
DXvwLpvfwiaB3zOhIgGcVr1EzgX3O0mmQqy8eWaYjEP41+p1HfRZf7idTXmmqpQY
pkYAeWc5FwZ59mHy4/bYibPNUKTxBY/QMSmhtbI4hKg81Xm5sCQe800h58cDju0s
P3qy30MwaUw=
=B19v
-----END PGP SIGNATURE-----