Re: Duplicate List Messages [I guess there's a serious majordomo bug...]

[chasin () crimelab crimelab com (Scott Chasin)]

> Hahaha!  Isn't that just like the thing - the owner of a 'full disclosure'
> list resorts to security by obscurity when it's *his* machine that's
> vulnerable.

 
> Wish I hadn't wasted my money phoning the States to warn you about
> it last night.  Excuse me while I sign up with CERT's mailing list
> again, they'll probably tell me more :-(

Do whatever you like.  Information about this hole was to be posted within
HOURS of my post informing of the current problems.  It is now available
and has been posted.  

> G
> (It *is* majordomo, isn't it?  Since you now have it under an
> obvious wrapper, I guess that means there's a way to pass it
> command line options somehow in a mail address...?)
 
Majordomo is always ran under a wrapper.  And yes, the problem is with
passing commands in a manipulated sendmail header (If you don't know by 
now).  This script is being passed and actively used.  I didn't bother
posting the whole script since the description of what it manipulates is
quite clear.

--Scott

---CUT HERE--
# Majordomo Penetration Tool v1.0
# (c) 1994 Idefix
#
# A tool to open a port on machines running the majordomo mailserver.
# I based this on the sendmail exploit code by Scott Chasin, I hacked it
# a bit and did some brainstorming how to by-pass the filters and checks
# of the majordomo script.
#
# The script makes use of the system() command in the majordomo maillist
# server program. By supplying commands on the From: line these are executed
# by the majordomo server. The majordomo server allows managing multiple
# maillists. The best way to determine if a maillist is managed by majordomo
# is to telnet to port 25 of the host and type EXPN <the-majordomo-user>
# thus for example:
#
#       EXPN majordomo
#       250 "|/usr/local/majordomo/wrapper majordomo"
#
# Some lists are managed by a list specific request address of the form
# maillist-request@host. Thus for example:
#
#       EXPN maillist-request
#       250 "|/usr/local/majordomo/wrapper request-answer maillist"
#
# The wrapper is run with the daemon uid or some special list uid. This
# will also be the uid the shell on a port will be run under. The shell
# can be accessed by telnetting to the the port. Because of the way 
# <return> is handled every command must be terminated by a ; the resulting
# '... not found' can be ignored.
#
# When mailing to the regular majordomo server an entry is put in a Log
# file. Also it is best to check the aliases file to see if there is an
# archive that the messages are also going to.
#
# Options are the mailserver address, the port where the command will be
# connected to, the command to be executed this should not contain any
# '/' characters because the messages will be discarded with it, a return 
# address to check if the sendmail command is executed.

# Usage: mpt <hostname> <target-port> <shell command> <return-address> 
# default: mpt firewalls-request () mycroft greatcircle com <7001> <sh> <>