CVE-2003-1073

Step 1: Job Submission: The attacker submits an at job using the -r argument and a crafted job name containing .. sequences to target a sensitive file outside the expected job directory.

Step 2: Permission Check: The at command checks if the user has permission to delete the file specified by the crafted job name.

Step 3: File System Manipulation: After the permission check, but before the file deletion, the attacker manipulates the file system. This could involve moving the targeted file or creating a symbolic link to the target file.

Step 4: File Deletion: The at command attempts to delete the file based on the job name. Due to the file system manipulation, the deletion now targets a file the attacker should not have access to.

Step 5: Arbitrary File Deletion: The attacker successfully deletes the targeted file, potentially causing system instability or denial of service.

The vulnerability stems from a race condition within the at command's handling of job names and file deletion. The at command, when invoked with the -r option and a job name containing .. (dot-dot) sequences, allows an attacker to specify a target file outside the intended job directory. The flaw lies in the time window between the permission check and the actual file deletion. The at command first checks if the user has permission to delete the file, but before the deletion occurs, an attacker can manipulate the file system (e.g., by moving the target file) to bypass the permission check. This allows the attacker to delete files they should not have access to, leading to a potential denial of service or system compromise. The root cause is a lack of proper synchronization and atomic operations during the file deletion process, making it susceptible to timing-based attacks.