header-logo
Suggest Exploit
vendor:
NetBSD and IRIX
by:
SecurityFocus
7.2
CVSS
HIGH
Improper Access Validation
264
CWE
Product Name: NetBSD and IRIX
Affected Version From: NetBSD 1.3.2 and lower, IRIX 6.2, 6.3, 6.4, 6.5 and 6.5.1
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

NetBSD and IRIX at(1) Vulnerability

The at(1) program can be supplied with a -f flag, and an error is access validation can result in the mailing of portions of unreadable files to any user who can run at. At uses seteuid to set the appropriate user id to run under. However, it incorrectly sets its real and effective uid to 0 prior to opening the filename passed to the -f flag. This allows any user to read any file on the filesystem.

Mitigation:

Upgrade to the latest version of NetBSD or IRIX.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/331/info

A vulnerability exists in NetBSD version 1.3.2 and lower, and Silicon Graphics Inc's IRIX versions 6.2, 6.3, 6.4, 6.5 and 6.5.1. The at(1) program can be supplied with a -f flag, and an error is access validation can result in the mailing of portions of unreadable files to any user who can run at.

At uses seteuid to set the appropriate user id to run under. However, it incorrectly sets its real and effective uid to 0 prior to opening the filename passed to the -f flag. This allows any user to read any file on the filesystem. 

$ at -f /etc/shadow now + 1 minute

This will mail back a portion of the shadow file to the user.

Navigation

Suggest Exploit

Services By CQR