at(1)
SCO UNIX 3.2v4.2
at(1) can be used to execute arbitrary commands as group cron.
Any user with access to at(1) can become root.
Exploit details will not be made available, until a patch is provided.
Obtain a patch from SCO.
Deny access to at(1) for normal users (see man page for details.)
at(1) was originally designed to run setuid root. SCOs version of at runs setgid cron, but still handles privileges as if running euid 0.
8lgm-bugs@bagpuss.demon.co.uk (To report security flaws)8lgm-request@bagpuss.demon.co.uk (Mailing list additions - processed automatically; just send any message)
8lgm@bagpuss.demon.co.uk (Everything else)
System Administrators are encouraged to contact us for any other information they may require about the problems described in this advisory.
We welcome reports about which platforms this flaw does or does not exist on.
NB: 8lgm-bugs@bagpuss.demon.co.uk is intended to be used by people wishing to report which platforms/OS's the bugs in our advisories are present on. Please do *not* send information on other bugs to this address - report them to your vendor and/or comp.security.unix instead.
Send any message to 8lgm-request@bagpuss.demon.co.uk and the address you mail from will automatically be added to the list.
If you need to subscribe to an address you cannot mail from (eg an alias), send mail to 8lgm@bagpuss.demon.co.uk and request to be added to the list. Due to our mail volume, we appreciate it if you can use 8lgm-request instead; thus if you need to subscribe an alias, please look into using, say sendmail -f, if possible.
All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@bagpuss.demon.co.uk'