Bugtraq mailing list archives
Re: Duplicate List Messages [I guess there's a serious majordomo bug...]
From: chasin () crimelab crimelab com (Scott Chasin)
Date: Wed, 8 Jun 94 8:35:21 CDT
Hahaha! Isn't that just like the thing - the owner of a 'full disclosure' list resorts to security by obscurity when it's *his* machine that's vulnerable.
Wish I hadn't wasted my money phoning the States to warn you about it last night. Excuse me while I sign up with CERT's mailing list again, they'll probably tell me more :-(
Do whatever you like. Information about this hole was to be posted within HOURS of my post informing of the current problems. It is now available and has been posted.
G (It *is* majordomo, isn't it? Since you now have it under an obvious wrapper, I guess that means there's a way to pass it command line options somehow in a mail address...?)
Majordomo is always ran under a wrapper. And yes, the problem is with passing commands in a manipulated sendmail header (If you don't know by now). This script is being passed and actively used. I didn't bother posting the whole script since the description of what it manipulates is quite clear. --Scott ---CUT HERE-- # Majordomo Penetration Tool v1.0 # (c) 1994 Idefix # # A tool to open a port on machines running the majordomo mailserver. # I based this on the sendmail exploit code by Scott Chasin, I hacked it # a bit and did some brainstorming how to by-pass the filters and checks # of the majordomo script. # # The script makes use of the system() command in the majordomo maillist # server program. By supplying commands on the From: line these are executed # by the majordomo server. The majordomo server allows managing multiple # maillists. The best way to determine if a maillist is managed by majordomo # is to telnet to port 25 of the host and type EXPN <the-majordomo-user> # thus for example: # # EXPN majordomo # 250 "|/usr/local/majordomo/wrapper majordomo" # # Some lists are managed by a list specific request address of the form # maillist-request@host. Thus for example: # # EXPN maillist-request # 250 "|/usr/local/majordomo/wrapper request-answer maillist" # # The wrapper is run with the daemon uid or some special list uid. This # will also be the uid the shell on a port will be run under. The shell # can be accessed by telnetting to the the port. Because of the way # <return> is handled every command must be terminated by a ; the resulting # '... not found' can be ignored. # # When mailing to the regular majordomo server an entry is put in a Log # file. Also it is best to check the aliases file to see if there is an # archive that the messages are also going to. # # Options are the mailserver address, the port where the command will be # connected to, the command to be executed this should not contain any # '/' characters because the messages will be discarded with it, a return # address to check if the sendmail command is executed. # Usage: mpt <hostname> <target-port> <shell command> <return-address> # default: mpt firewalls-request () mycroft greatcircle com <7001> <sh> <>
Current thread:
- Duplicate List Messages [I guess there's a serious majordomo bug...] Scott Chasin (Jun 07)
- <Possible follow-ups>
- Re: Duplicate List Messages [I guess there's a serious majordomo bug...] Graham Toal (Jun 08)
- Re: Duplicate List Messages [I guess there's a serious majordomo bug...] Scott Chasin (Jun 08)
- Re: Duplicate List Messages [I guess there's a serious majordomo bug...] der Mouse (Jun 08)
- Re: Duplicate List Messages [I guess there's a serious majordomo bug...] Eric Murray (Jun 08)
- Re: Duplicate List Messages [I guess there's a serious majordomo bug...] Graham Toal (Jun 08)
- Re: Duplicate List Messages [I guess there's a serious majordomo bug...] Steve Davis (Jun 08)