AT 3.1.8 - Formatted Time Heap Overflow Vulnerability

ID SSV:75064
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


at is a freely available, open source scheduler package. It is included with various Unix and Linux operating systems, and maintained by public domain.

Under some circumstances, at does not correctly handle time input. A local user attempting to schedule a task via commandline execution and using a maliciously crafted time format can cause heap corruption in at. As the at program is installed setuid root in most implementations, this could result in the execution of arbitrary code with administrative privileges.