[13555] in bugtraq
Re: majordomo 1.94.5 does not fix all vulnerabilities
daemon@ATHENA.MIT.EDU (Chan Wilson)
Tue Jan 25 14:08:44 2000
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20000125122028C.cwilson@unknown-domain>
Date: Tue, 25 Jan 2000 12:20:28 +0100
Reply-To: Chan Wilson <cwilson@NEU.SGI.COM>
From: Chan Wilson <cwilson@NEU.SGI.COM>
X-To: bsides@towery.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10001241428460.4903-100000@koala.towery.com>
Brock Sides <bsides@TOWERY.COM> spaketh thusly on Mon, 24 Jan 2000 14:55:42 -0600
about majordomo 1.94.5 does not fix all vulnerabilities...
> Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock
> Tellier, that permits execution of arbitrary code as user majordomo, it
> apparently does not fix the other bug in the script majordomo, that
> permits execution of arbitrary config files as user majordomo:
Correct. That is far better addressed at a o/s level by protecting
the directory that the majordomo code lives in. A security note has
been added to the top of the INSTALL document that attempts to
highlight this matter:
** SECURITY ALERT **
The default installation of Majordomo, including the checks that
config-test does, WILL NOT RESULT IN A SECURE INSTALLATION. In
particular, the majordomo home directory and the "wrapper" program
are, by default, accessible to any user. These open privileges can be
(mis)used to change list membership, list configuration details, forge
email, perhaps even create and/or delete lists, and anything else that
the majordomo user has permissions to do.
If Majordomo is *NOT* installed on a secured system with controlled
access (and if you are paranoid, even if it is), you will need to take
additional steps to prevent access to the majordomo directories.
Usually, changing the privileges of the majordomo home directory to be
0750 fixes these problems, but creates the additional burden of
needing to configure the MTA (sendmail, qmail, exim) properly so that
it can read and execute "wrapper". Such configuration is beyond the
scope of this install document, and is left to the FAQ (Doc/FAQ,
Doc/majordomo-faq.html) and the support group
majordomo-users@greatcircle.com to answer.
** SECURITY ALERT **
While it is possible, as has been posted earlier, to patch all the
code that uses the -C configuration file flag, *and* patch resend to
only allow execution of code in specific directories, *and* rework
code so it knows where to find the relocated code, it is far easier to
simply prevent access to the majordomo directory (including access
log, list configuration, membership, etc) which gives security from
both execution of arbitrary code *and* information security for the
distribution lists.
--Chan
majordomo maintainer.
