[4699] in bugtraq
Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program
daemon@ATHENA.MIT.EDU (Adam Morrison)
Mon Jun 16 16:01:03 1997
Date: Sun, 15 Jun 1997 20:09:41 +0300
Reply-To: Adam Morrison <adam@MATH.TAU.AC.IL>
From: Adam Morrison <adam@MATH.TAU.AC.IL>
X-To: Thomas.Koenig@ciw.uni-karlsruhe.de
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199706141744.TAA09009@mvmap66.ciw.uni-karlsruhe.de> from "Thomas
Koenig" at Jun 14, 97 07:44:58 pm
> Where, exactly? The CERT advisory was talking about commercial
> systems. The Linux implementation of at(1) is entirely written
> from scratch.
In <URL:news:4vo77d$gqe@chaos.dac.neu.edu> Gregory Hull
<gahull@ccs.neu.edu> published a r00t advisory about a stack overrun
condition in the Solaris 2.5 at(1) program. Indeed, in
<URL:news:4vrool$fr9@mail.fwi.uva.nl> Casper Dik states that
The at problem looks more real as there is indeed a buffer overflow
in at(1) in 2.5 and later (in 2.4 and before the same buffer
overflow exists but the buffer lives in the datasegment, not on the
stack so there's no immediate danger.
However, this was about the only thing that sorry advisory got right. The
SPARC ``egg'' instructions contained therein are a complete crock, and the
usage explanation of the faulty ``egg'' is erroneous. I believe that this
was (at least partially) acknowledged at the time, in
<URL:news:50bu1f$fbd@mail.fwi.uva.nl>, in which Casper Dik writes to Greg
Hull,
I've asked you several times now to produce proof of your at(1)
exploit. I acknowledge that there's a buffer overflow in main()
and that it will be fixed; yet as this point I haven't seen any
proof that this particular bug is exploitable, I actually have,
what I believe to be, proof to the contrary.
(If someone else hadn't posted here that the code you posted was
bogus, I was tempted to offer $1000 of my own money for an at(1)
exploit using the code posted)
I do not recall and at(1) patch being released from Sun.
The final piece of the puzzle is that this advisory was forwarded to the
Best of Security mailing list by Don Framer <swoop@suburbia.net>; and the
CERT advisory states that ``technical information for this advisory was drawn
in part from a posting by Don Farmer to the bugtraq mailing list.'' Close
enough.
It all fits in this weird way.
adam?
