NetBSD 1.3.2 / SGI IRIX 6.5.1 - 'at(1)' Read File

EDB-ID:

19261

Author:

Gutierrez

Type:

local

Platform:

NetBSD_x86

Published:

1998-06-27

source: http://www.securityfocus.com/bid/331/info

A vulnerability exists in NetBSD version 1.3.2 and lower, and Silicon Graphics Inc's IRIX versions 6.2, 6.3, 6.4, 6.5 and 6.5.1. The at(1) program can be supplied with a -f flag, and an error is access validation can result in the mailing of portions of unreadable files to any user who can run at.

At uses seteuid to set the appropriate user id to run under. However, it incorrectly sets its real and effective uid to 0 prior to opening the filename passed to the -f flag. This allows any user to read any file on the filesystem. 

$ at -f /etc/shadow now + 1 minute

This will mail back a portion of the shadow file to the user.