Source: cve@mitre.org
Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local users to gain root access.
SCO UNIX 4.2 and earlier systems are vulnerable to a critical local privilege escalation via the 'at' program, allowing attackers to gain root access. This vulnerability, dating back to 1994, grants unauthorized access to the entire system, potentially leading to complete system compromise and data exfiltration.
Step 1: User Input: A local user crafts a malicious command string designed to exploit a vulnerability in the 'at' program. This command string is intended to overwrite memory or manipulate the program's execution flow. Step 2: Scheduling the Malicious Job: The user submits the crafted command string to the 'at' program, scheduling it for execution at a future time. Step 3: Vulnerability Trigger: When the scheduled time arrives, the 'at' program attempts to execute the malicious command. Step 4: Exploitation: The crafted command string, due to the vulnerability, causes a memory corruption event (e.g., buffer overflow). This event allows the attacker to overwrite critical memory locations, such as the return address of a function call. Step 5: Code Execution: The attacker's malicious code (e.g., a shell with root privileges) is executed, granting the attacker root access to the system.
The vulnerability lies within the 'at' program's handling of user-supplied input, specifically related to how it processes commands scheduled for execution. The root cause is likely a buffer overflow or similar memory corruption issue within the 'at' program's code, possibly in how it parses or handles the command string provided by the user. This allows an attacker to overwrite critical memory regions, potentially including the program's return address, and redirect execution to malicious code of their choosing. This could also be related to how the 'at' program handles permissions or context switching when executing scheduled jobs, allowing a user to execute code with elevated privileges.
Due to the age of the vulnerability, it's unlikely to be associated with specific APT groups in current reports. However, any threat actor targeting legacy systems would likely be aware of and potentially exploit this vulnerability. The vulnerability is not listed on the CISA KEV catalog, but it should be considered a high-risk vulnerability for any affected systems.
Monitor system logs for unusual activity related to the 'at' program, such as unexpected command executions or errors.
Analyze system logs for suspicious commands scheduled using 'at', especially those involving shell commands or attempts to modify system files.
Examine the 'at' program's configuration files for any unauthorized modifications.
Monitor for changes to the 'at' program's binary or related libraries.
Use file integrity monitoring tools to detect unauthorized changes to system binaries and configuration files.
Network traffic analysis may reveal attempts to connect to the system via SSH or other services after exploitation.
Upgrade to a patched version of SCO UNIX or a supported operating system. This is the most effective solution.
If upgrading is not possible, apply any available security patches for the 'at' program. Check the vendor's website or security advisories for patches.
Restrict access to the 'at' program. Limit the users who can schedule jobs using 'at'.
Implement strong password policies and multi-factor authentication (MFA) to prevent unauthorized access to user accounts.
Regularly audit system logs for suspicious activity.
Implement a host-based intrusion detection system (HIDS) to monitor for malicious activity.
Consider using a security information and event management (SIEM) system to centralize and analyze security logs.
Implement file integrity monitoring to detect unauthorized changes to system files.