[16037] in bugtraq

home help back first fref pref prev next nref lref last post

Advisory: mailman local compromise

daemon@ATHENA.MIT.EDU (Stan Bubrouski)
Tue Aug 1 17:52:06 2000

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Message-Id:  <4.3.1.2.20000801131320.00b4eb90@pop.crosswinds.net>
Date:         Tue, 1 Aug 2000 13:14:20 -0400
Reply-To: Stan Bubrouski <secnet@CROSSWINDS.NET>
From: Stan Bubrouski <secnet@CROSSWINDS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit

Author                 : Stan Bubrouski
Date                    : August 1, 2000
Package              : mailman
Versions affected : 2.0beta3 (released: 2000-Jun-28 23:25)
                              2.0beta4 (released: 2000-Jul-06 21:27)
Severity               : access to group mailman binaries are installed as 
which (usually mailman).
                              Most directories in a mailman install are 
mode 2755 as are most of the
                              binaries and scripts.  Many configurations 
are 664 allowing a local user
                              to change list ocnfigurations and even read 
the adm.pw passwd file.
                              Additionally besides being able to read 
public and private data along with
                              passwds, a malicious user could replace 
binaries and scripts in a mailman
                              installation because they are writable by 
group mailman.
Problem              : The mailman package comes with a sgid program named 
wrapper.  This
                              program contains a function named fatal() 
which is used to display error
                              messages.  Unfortunately it fails to send the 
correct amount of arguments
                              to the fprintf(3) function allowing users to 
add formatting which could
                              be used to insert and execute code under 
group mailman.  fatal()
                              is called when invalid arguments are provided 
and in such a case, the invalid
                              arguments are sent to fprintf without being 
formatted, the same goes for argv[0].
Example:

[user@king user]$ ls -al /usr/share/mailman/mail/wrapper
-rwxr-sr-x    1 mailman  mailman     36290 Jul  1 06:48 
/usr/share/mailman/mail/wrapper
[user@king user]$ cd /usr/share/mailman/mail
[user@king mail]$ ls -al
total 39
drwxrwsr-x    2 mailman  mailman      1024 Jul 12 19:29 .
drwxrwsr-x   16 mailman  mailman      1024 Jul 27 20:13 ..
-rwxr-sr-x    1 mailman  mailman     36290 Jul  1 06:48 wrapper
[user@king mail]$ ./wrapper
Usage: ./wrapper program [args...]
[user@king mail]$ ./wrapper %s
Illegal command: Illegal command: %s[user@king mail]$ ./wrapper %s%s
Illegal command: Illegal command: %s%s•ýÿ¿œ=@„üÿ¿Xüÿ¿€>@[user@king 
mail]$ ./wrapper %s%s%s
Segmentation fault
[user@king mail]$ ./wrapper %s%u%p
Illegal command: Illegal command: %s%u%p32212244600x656c6c49[user@king mail]$
[user@king mail]$ doexec ./wrapper %s
Usage: Usage: %s program [args...]
  program [args...]
[user@king mail]$ doexec ./wrapper %s%s
Usage: Usage: %s%s program [args...]
“ýÿ¿œ=@„üÿ¿Xüÿ¿€>@ program [args...]
[user@king mail]$ doexec ./wrapper %s%p
Usage: Usage: %s%p program [args...]
0xbffffc0c program [args...]
[user@king mail]$ doexec ./wrapper %s%S%u
Usage: Usage: %s%S%u program [args...]
[user@king mail]$ doexec ./wrapper %s%s
Usage: Usage: %s%s program [args...]
“ýÿ¿œ=@„üÿ¿Xüÿ¿€>@ program [args...]
[user@king mail]$ doexec ./wrapper %s%s%s
Segmentation fault
[user@king mail]$

Patch:
diff -u -r ./cgi-wrapper.c.orig ./cgi-wrapper.c
--- ./cgi-wrapper.c.orig        Tue Mar 21 01:26:41 2000
+++ ./cgi-wrapper.c     Fri Jul 28 00:17:42 2000
@@ -53,7 +53,7 @@
         fake_argv[2] = script;

         status = run_script("driver", 3, fake_argv, env);
-       fatal(logident, status, "%s", strerror(errno));
+       fatal(logident, status, "%s\n", strerror(errno));
         return status;
  }

diff -u -r common.c.orig ./common.c
--- ./common.c.orig     Mon May 22 14:59:31 2000
+++ ./common.c  Thu Jul 27 23:58:12 2000
@@ -108,7 +108,7 @@
                 printf("</pre>\n");
         }
         else
-               fprintf(stderr, log_entry);
+               fprintf(stderr, "%s", log_entry);
  #endif /* HELPFUL */
         exit(exitcode);
  }
diff -u -r ./mail-wrapper.c.orig ./mail-wrapper.c
--- ./mail-wrapper.c.orig       Tue Mar 21 01:26:41 2000
+++ ./mail-wrapper.c    Fri Jul 28 00:16:34 2000
@@ -67,13 +67,13 @@

         if (!check_command(argv[1]))
                 fatal(logident, MAIL_ILLEGAL_COMMAND,
-                     "Illegal command: %s", argv[1]);
+                     "Illegal command: %s\n", argv[1]);

         check_caller(logident, parentgid);

         /* If we got here, everything must be OK */
         status = run_script(argv[1], argc, argv, env);
-       fatal(logident, status, "%s", strerror(errno));
+       fatal(logident, status, "%s\n", strerror(errno));
         return status;
  }

Patch info            : The patch fixes fatal() and also adds newlines to 
some fatal() calls because
                              fatal() does not tack them on and as you can 
see in the example above, the
                              lack of newlines in some calls make errors 
harder to read.  I made the patch
                              using the latest CVS tree but it should apply 
to beta3 and beta4 releases as well.
home help back first fref pref prev next nref lref last post