[13163] in bugtraq
Re: majordomo local exploit
daemon@ATHENA.MIT.EDU (Henrik Nordstrom)
Fri Dec 31 04:11:58 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <386C1759.2E59B346@hem.passagen.se>
Date: Fri, 31 Dec 1999 03:39:21 +0100
Reply-To: hno@HEM.PASSAGEN.SE
From: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
X-To: Henrik Edlund <henrik@EDLUND.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Henrik Edlund wrote:
> > I'm afraid that wouldn't help much, as you can supply any pathname as
> > the -C (configuration file) argument:
> >
> > /path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl
> >
> > I tested this with version 1.94.1, but the same behaviour seems to be
> > there in 1.94.4, as far as I can tell by the source.
>
> This patch should take care of that problem:
Not quite. Your patch can be fooled by simple link trickery as there is
a race window between your check and the parsing of the configuration
file.
A better way is to stat the filehandle. This guarantees (on system
supporting fstat) that you get the information on the file about to be
read in rather than the information of a filename which may or may not
be the same file which is being read in.
--
Henrik Nordstrom
