Source: cve@mitre.org
A race condition in the at command for Solaris 2.6 through 9 allows local users to delete arbitrary files via the -r argument with .. (dot dot) sequences in the job name, then modifying the directory structure after at checks permissions to delete the file and before the deletion actually takes place.
Solaris systems are vulnerable to a critical local privilege escalation vulnerability in the at command. This race condition allows attackers to delete arbitrary files, potentially leading to system compromise and denial of service by manipulating the file system during job execution.
Step 1: Job Creation: The attacker crafts an at job with a specially crafted name containing .. sequences to target a sensitive file (e.g., a system configuration file). The job's content is irrelevant as the goal is file deletion.
Step 2: Permission Check: The at command checks the permissions of the job file before attempting to delete it.
Step 3: File System Manipulation: Immediately after the permission check, but before the deletion, the attacker rapidly modifies the file system. This often involves creating a symbolic link or renaming directories to point the job file's path to the target file.
Step 4: File Deletion: The at command, unaware of the file system changes, attempts to delete the job file. Due to the manipulation, it now deletes the attacker-specified target file.
Step 5: Impact: The targeted file is deleted, potentially leading to system instability, denial of service, or further exploitation depending on the deleted file's function.
The vulnerability stems from a race condition within the at command's handling of job removal. The at command checks permissions on a job file before deleting it. However, a malicious user can exploit the time gap between the permission check and the actual deletion. By crafting a job name with .. (dot dot) sequences to traverse the directory structure and then rapidly modifying the file system (e.g., creating a symbolic link), an attacker can trick at into deleting an arbitrary file that the user would not normally have access to. The root cause is the lack of proper locking or atomic operations to ensure the integrity of the file deletion process, leading to a time-of-check to time-of-use (TOCTOU) vulnerability.
While no specific APT groups are directly linked to this CVE, the nature of the vulnerability (local privilege escalation) makes it attractive for any attacker seeking to gain root access. This vulnerability is not listed on the CISA KEV.
Monitor system logs for unusual at command usage, especially jobs with suspicious names (e.g., those containing .. sequences).
Analyze file system activity for rapid file modifications or symbolic link creation/deletion around the time at jobs are scheduled or executed.
Review system logs for errors or unexpected behavior after at job execution, which could indicate file deletion failures or system instability.
Use file integrity monitoring tools to detect unexpected changes to critical system files.
Apply the latest security patches for Solaris systems. This is the primary and most effective remediation.
Restrict the use of the at command to trusted users or groups.
Implement file system monitoring to detect and alert on suspicious file modifications.
Consider using alternative job scheduling tools that are not vulnerable to this race condition, if possible.
Regularly audit system configurations to ensure proper security settings and file permissions.