[13192] in bugtraq
Re: majordomo local exploit
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Mon Jan 3 16:27:03 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000103152201.C3923@monad.swb.de>
Date: Mon, 3 Jan 2000 15:22:01 +0100
Reply-To: Olaf Kirch <okir@LST.DE>
From: Olaf Kirch <okir@LST.DE>
X-To: Henrik Edlund <henrik@EDLUND.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.20.9912300436140.10698-100000@corellia.edlund.org>;
from henrik@EDLUND.ORG on Thu, Dec 30, 1999 at 04:37:36AM +0100
On Thu, Dec 30, 1999 at 04:37:36AM +0100, Henrik Edlund wrote:
> This patch should take care of that problem:
No it doesn't. Apart from the raceability others have pointed out
there are a bunch of other scripts in the majordomo directory
that also take a a -C and/or -c argument that lets you specify a
config file. In addition, the conf-test script (which by default
is also installed in the majordomo directory) accepts the name
of the config file as its first argument. All these scripts can
be executed by Joe User simply by running `$LIBDIR/wrapper scriptname'
Apart from the config file handling, there's probably a whole lot
of exciting stuff you can do with majordomo's command line arguments.
For instance try
/usr/lib/majordomo/wrapper resend -l ../../../../../tmp/toast root < /dev/null
and admire the majordomo.majordomo owned file in your /tmp
directory.
By the same approach, you can fake a mailing list configuration by
placing a toast.config file in your /tmp directory. You can modify
this configuration to e.g. set the sender address (used in bounces
generated by resend) to "foo@bar.com -C/tmp/sendmail.cf". If you
now pipe a message into resend that generates a bounce, resend
will invoke "sendmail -tfoo@bar.com -C/tmp/sendmail.cf" Sendmail in
turn, given the -C flag, will drop root privs and do whatever you ask
it to do as the invoking user--which is majordomo because wrapper.c
has set the real uid and gid to majordomo.
(NB: don't bother with silly shell specials--resend uses fork/exec
rather than system())
Fixing majordomo should
a) Put those scripts that ordinary users should be able
to run with majordomo privileges into a separate
directory. Normally, this should be the majordomo
script itself, and resend.
b) In wrapper.c, remove the ability to pass any arguments.
other than -l listname (also refuse arguments starting
with @, these have a special meaning for resend).
Any other values one would potentially want to pass to resend
and/or majordomo can be specified in the general config file.
c) If a list name is given on the command line, ensure
it's sane.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
