local privilege escalation in at

ID SUSE-SA:2002:003
Type suse
Reporter Suse
Modified 2002-01-16T15:44:14


The 'at' command reads commands from standard input for execution at a later time specified on the command line. If such an execution time is given in a carefully drafted (but wrong) format, the at command may crash as a result of a surplus call to free(). The cause of the crash is a heap corruption that is exploitable under certain circumstances since the /usr/bin/at command is installed setuid root.