COMMAND

    /usr/bin/at

SYSTEMS AFFECTED

    Hewlett-Packard Company
    IBM Corporation
    Santa Cruz Operation, Inc. (SCO)
    Silicon Graphics, Inc.
    Sun Microsystems, Inc.

PROBLEM

    The at(1) program can be used by local users to schedule  commands
    to be executed at a later time. When those commands are run,  they
    are run as the  user who originally ran  at(1). That user will  be
    referred to as the scheduling user.

    As a precaution, the scheduling user's list of commands is  stored
    in a file in a directory that is not writable by other users.  The
    file's ownership is  changed to that  of the scheduling  user, and
    that information  is used  to define  the identity  of the process
    that  runs  the  commands  when  the appointed time arrives. These
    measures are  intended to  prevent other  users from  changing the
    scheduling user's  list of  commands or  creating new  lists to be
    executed  as  another  user.  To  achieve this additional level of
    security, the at(1) program runs as set-user-id root.

    Some  versions  of  at(1)  contain  a  programming defect that can
    result in a  buffer local to  at(1) being overflowed.  Through the
    careful  specification  of  the  data  that overflows this buffer,
    arbitrary  commands  can  be  executed  with the identity of at(1)
    process, root in this case.

    Any user  with an  account on  a system  that contains a defective
    version of at(1) can execute programs as root.

SOLUTION

    Until  you  are  able  to  install  the  appropriate  patch, it is
    recommended to turn  off at(1) by  setting its mode  to 0. Do  the
    following as root:

        # chmod 0 /usr/bin/at

    Note that the location of at(1) varies from system to system.

    You  may  install  a  patch  from  your vendor if exists (see list
    below).

    IBM Corporation
    ===============

        System OS    Patch
        ------------------
        AIX 3.2      PTF - U443452 U443486 U444191 U444206 U444213 U444243
                     APAR - IX60796
        AIX 4.1      APAR - IX60894
                     APAR - IX60890
        AIX 4.2      APAR - IX60892
                     APAR - IX61125


    Santa Cruz Operation, Inc. (SCO)
    ================================
        All  SCO  operating  systems  are  vulnerable. SCO has made an
        interim fix available for anonymous ftp:

        ftp://ftp.sco.com/SSE/sse007.ltr.Z - cover letter
        ftp://ftp.sco.com/SSE/sse007.tar.Z - replacement binaries

    Silicon Graphics Inc.
    =====================
    Patches are:

        OS Version     Vulnerable?     Patch #      Other Actions
        ----------     -----------     -------      -------------
        IRIX 3.x          yes          not avail    Upgrade
        IRIX 4.x          yes          not avail    Upgrade
        IRIX 5.0.x        yes          not avail    Upgrade
        IRIX 5.1.x        yes          not avail    Upgrade
        IRIX 5.2          yes          not avail    Upgrade
        IRIX 5.3          yes          2225
        IRIX 6.0.x        yes          not avail    Upgrade
        IRIX 6.1          yes          not avail    Upgrade
        IRIX 6.2          yes          2230
        IRIX 6.3          yes          2232
        IRIX 6.4          yes          2233

    Sun Microsystems, Inc.
    ======================
    Patches are:

        OS version          Patch ID
        ----------          --------
        SunOS 5.5.1         103690-05
        SunOS 5.5.1_x86     103691-05
        SunOS 5.5           103723-05
        SunOS 5.5_x86       103724-05
        SunOS 5.4           102693-05
        SunOS 5.4_x86       102694-05
        SunOS 5.3           101572-08