[13138] in bugtraq
Re: majordomo local exploit
daemon@ATHENA.MIT.EDU (Brock Sides)
Wed Dec 29 21:32:44 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9912291022170.25584-100000@koala.towery.com>
Date: Wed, 29 Dec 1999 10:28:32 -0600
Reply-To: Brock Sides <bsides@TOWERY.COM>
From: Brock Sides <bsides@TOWERY.COM>
X-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199912290703.AAA05209@xerxes.courtesan.com>
A note to anybody applying this, via patch or otherwise. Don't keep the
original resend lying around in the majordomo directory: wrapper assumes
everything in that directory is secure, and will gladly execute it.
[brock@o2 brock]$ /usr/freeware/majordomo/wrapper resend.orig '@|id'
uid=1126(majordomo) gid=1(daemon)
resend: must specify '-l list' at
/usr/freeware/majordomo-1.94.4/resend.orig line 78.
--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides@towery.com
On Wed, 29 Dec 1999, Todd C. Miller wrote:
> For those using perl 5.x, you can use sysopen() instead of the "magic"
> perl open() to fix this.
>
> - todd
>
> --- resend Thu Aug 19 10:12:03 1999
> +++ resend+ Tue Dec 28 23:55:39 1999
> @@ -58,7 +58,7 @@
> if ($ARGV[0] =~ /^\@/) {
> $fn = shift(@ARGV);
> $fn =~ s/^@//;
> - open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");
> + sysopen(AV, $fn, O_RDONLY) || die("sysopen(AV, \"$fn\", O_RDONLY): $!\nStopped");
> undef($/); # set input field separator
> $av = <AV>; # read whole file into string
> close(AV);
>
