AT 3.1.8 - Formatted Time Heap Overflow

EDB-ID:

21229




Platform:

Linux

Date:

2002-01-16


source: https://www.securityfocus.com/bid/3886/info

at is a freely available, open source scheduler package. It is included with various Unix and Linux operating systems, and maintained by public domain.

Under some circumstances, at does not correctly handle time input. A local user attempting to schedule a task via commandline execution and using a maliciously crafted time format can cause heap corruption in at. As the at program is installed setuid root in most implementations, this could result in the execution of arbitrary code with administrative privileges. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21229.tar.gz