Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: majordomo local exploit

From: bsides () TOWERY COM (Brock Sides)
Date: Wed, 29 Dec 1999 10:28:32 -0600

A note to anybody applying this, via patch or otherwise. Don't keep the
original resend lying around in the majordomo directory: wrapper assumes
everything in that directory is secure, and will gladly execute it.

[brock@o2 brock]$ /usr/freeware/majordomo/wrapper resend.orig '@|id'
uid=1126(majordomo) gid=1(daemon)
resend: must specify '-l list' at
/usr/freeware/majordomo-1.94.4/resend.orig line 78.

--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides () towery com

On Wed, 29 Dec 1999, Todd C. Miller wrote:


For those using perl 5.x, you can use sysopen() instead of the "magic"
perl open() to fix this.

 - todd

--- resend    Thu Aug 19 10:12:03 1999
+++ resend+   Tue Dec 28 23:55:39 1999
@@ -58,7 +58,7 @@
 if ($ARGV[0] =~ /^\@/) {
     $fn = shift(@ARGV);
     $fn =~ s/^@//;
-    open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");
+    sysopen(AV, $fn, O_RDONLY) || die("sysopen(AV, \"$fn\", O_RDONLY): $!\nStopped");
     undef($/);       # set input field separator
     $av = <AV>;      # read whole file into string
     close(AV);
Previous By Date Next
Previous By Thread Next

Current thread: