Vulnerabilities > CVE-2002-0004 - Heap Overflow vulnerability in AT Maliciously Formatted Time

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
caldera
debian
freebsd
mandrakesoft
netbsd
redhat
slackware
suse
nessus
exploit available

Summary

Heap corruption vulnerability in the "at" program allows local users to execute arbitrary code via a malformed execution time, which causes at to free the same memory twice.

Exploit-Db

descriptionAT 3.1.8 Maliciously Formatted Time Heap Overflow Vulnerability. CVE-2002-0004. Local exploit for linux platform
idEDB-ID:21229
last seen2016-02-02
modified2002-01-16
published2002-01-16
reporterSuSE Security
sourcehttps://www.exploit-db.com/download/21229/
titleAT 3.1.8 - Formatted Time Heap Overflow Vulnerability

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-007.NASL
    descriptionzen-parse discovered a problem in the at command containing an extra call to free() which can lead to a segfault with a carefully crafted, but incorrect, format. This is caused due to a heap corruption that can be exploited under certain circumstances because the at command is installed setuid root. Thanks to SuSE for an additional security improvement that ads the O_EXCL (exclusive) option to the open(2) system call inside the at code.
    last seen2020-06-01
    modified2020-06-02
    plugin id13915
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13915
    titleMandrake Linux Security Advisory : at (MDKSA-2002:007)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:007. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13915);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-0004");
      script_xref(name:"MDKSA", value:"2002:007");
    
      script_name(english:"Mandrake Linux Security Advisory : at (MDKSA-2002:007)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandrake Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "zen-parse discovered a problem in the at command containing an extra
    call to free() which can lead to a segfault with a carefully crafted,
    but incorrect, format. This is caused due to a heap corruption that
    can be exploited under certain circumstances because the at command is
    installed setuid root. Thanks to SuSE for an additional security
    improvement that ads the O_EXCL (exclusive) option to the open(2)
    system call inside the at code."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected at package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:at");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/01/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"at-3.1.8-4.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-102.NASL
    descriptionzen-parse found a bug in the current implementation of at which leads into a heap corruption vulnerability which in turn could potentially lead into an exploit of the daemon user.
    last seen2020-06-01
    modified2020-06-02
    plugin id14939
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14939
    titleDebian DSA-102-2 : at - daemon exploit
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-102. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14939);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2002-0004");
      script_xref(name:"DSA", value:"102");
    
      script_name(english:"Debian DSA-102-2 : at - daemon exploit");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "zen-parse found a bug in the current implementation of at which leads
    into a heap corruption vulnerability which in turn could potentially
    lead into an exploit of the daemon user."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-102"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the at packages.
    
    Unfortunately, the bugfix from DSA 102-1 wasn't propagated properly
    due to a packaging bug. While the file parsetime.y was fixed, and
    yy.tab.c should be generated from it, yy.tab.c from the original
    source was still used. This has been fixed in DSA-102-2."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:at");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/01/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"at", reference:"3.1.8-10.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Redhat

advisories
rhsa
idRHSA-2002:015

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.