https://www.exploit-db.com/exploits/19261
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199807-005

IRIX6.2和NetBSD1.3.2及其早期版本的at程序中存在漏洞，本地用户通过提交文件到at程序带-f参数从而读取任意文件的部分内容，在通过电子邮件发送到用户时，会生成错误信息。

source: http://www.securityfocus.com/bid/331/info

A vulnerability exists in NetBSD version 1.3.2 and lower, and Silicon Graphics Inc's IRIX versions 6.2, 6.3, 6.4, 6.5 and 6.5.1. The at(1) program can be supplied with a -f flag, and an error is access validation can result in the mailing of portions of unreadable files to any user who can run at.

At uses seteuid to set the appropriate user id to run under. However, it incorrectly sets its real and effective uid to 0 prior to opening the filename passed to the -f flag. This allows any user to read any file on the filesystem. 

$ at -f /etc/shadow now + 1 minute

This will mail back a portion of the shadow file to the user.

来源:BUGTRAQ
名称:19980703moreabout’at’
链接:http://www.shmoo.com/mail/bugtraq/jul98/msg00064.html
来源:BID
名称:331
链接:http://www.securityfocus.com/bid/331
来源:XF
名称:at-f-read-files(7577)
链接:http://www.iss.net/security_center/static/7577.php
来源:BUGTRAQ
名称:19980805irix-6.2″at-f”vulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=90233906612929&w;=2
来源:NETBSD
名称:NetBSD-SA1998-004
链接:ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA1998-004.txt.asc