[13147] in bugtraq
Re: majordomo local exploit
daemon@ATHENA.MIT.EDU (Henrik Edlund)
Thu Dec 30 13:20:42 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.20.9912300436140.10698-100000@corellia.edlund.org>
Date: Thu, 30 Dec 1999 04:37:36 +0100
Reply-To: Henrik Edlund <henrik@EDLUND.ORG>
From: Henrik Edlund <henrik@EDLUND.ORG>
X-To: Taneli Huuskonen <huuskone@CC.HELSINKI.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199912291530.RAA27325@sirppi.helsinki.fi>
On Wed, 29 Dec 1999, Taneli Huuskonen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> "Todd C. Miller" <Todd.Miller@COURTESAN.COM> wrote:
>
> > For those using perl 5.x, you can use sysopen() instead of the "magic"
> > perl open() to fix this.
>
> I'm afraid that wouldn't help much, as you can supply any pathname as
> the -C (configuration file) argument:
>
> /path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl
>
> I tested this with version 1.94.1, but the same behaviour seems to be
> there in 1.94.4, as far as I can tell by the source.
This patch should take care of that problem:
--- majordomo.old Sat Oct 2 02:30:30 1999
+++ majordomo Thu Dec 30 04:34:25 1999
@@ -44,6 +44,25 @@
die("$cf not readable; stopped");
}
+# Check if the cf file is owned by effective uid
+if ((stat($cf))[4] != $>) {
+ die("$cf not owned by effective uid; stopped");
+}
+
+# Check if the cf file is owned by effective gid
+$cfgid = (stat($cf))[5];
+$inlist = 0;
+foreach (split(/ /, $))) {
+ if ($cfgid == $_) {
+ $inlist = 1;
+ last;
+ }
+}
+if (! $inlist) {
+ die("$cf not owned by effective gid; stopped");
+}
+
+# Now we can read and execute the cf file
require "$cf";
# Go to the home directory specified by the .cf file
Comments?
--
Henrik Edlund
http://www.edlund.org/
"They were in the wrong place at the wrong time.
Naturally they became heroes."
Leia Organa of Alderaan, Senator
