Bugtraq mailing list archives

Re: majordomo local exploit

From: okir () LST DE (Olaf Kirch)
Date: Mon, 3 Jan 2000 15:22:01 +0100


On Thu, Dec 30, 1999 at 04:37:36AM +0100, Henrik Edlund wrote:

This patch should take care of that problem:


No it doesn't. Apart from the raceability others have pointed out
there are a bunch of other scripts in the majordomo directory
that also take a a -C and/or -c argument that lets you specify a
config file. In addition, the conf-test script (which by default
is also installed in the majordomo directory) accepts the name
of the config file as its first argument. All these scripts can
be executed by Joe User simply by running `$LIBDIR/wrapper scriptname'

Apart from the config file handling, there's probably a whole lot
of exciting stuff you can do with majordomo's command line arguments.
For instance try

/usr/lib/majordomo/wrapper resend -l ../../../../../tmp/toast root < /dev/null

and admire the majordomo.majordomo owned file in your /tmp
directory.

By the same approach, you can fake a mailing list configuration by
placing a toast.config file in your /tmp directory. You can modify
this configuration to e.g. set the sender address (used in bounces
generated by resend) to "foo () bar com -C/tmp/sendmail.cf". If you
now pipe a message into resend that generates a bounce, resend
will invoke "sendmail -tfoo () bar com -C/tmp/sendmail.cf" Sendmail in
turn, given the -C flag, will drop root privs and do whatever you ask
it to do as the invoking user--which is majordomo because wrapper.c
has set the real uid and gid to majordomo.

(NB: don't bother with silly shell specials--resend uses fork/exec
rather than system())

Fixing majordomo should

 a)     Put those scripts that ordinary users should be able
        to run with majordomo privileges into a separate
        directory. Normally, this should be the majordomo
        script itself, and resend.

 b)     In wrapper.c, remove the ability to pass any arguments.
        other than -l listname (also refuse arguments starting
        with @, these have a special meaning for resend).

        Any other values one would potentially want to pass to resend
        and/or majordomo can be specified in the general config file.

 c)     If a list name is given on the command line, ensure
        it's sane.

Olaf

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Current thread:

Re: majordomo local exploit John Archie (Jan 01)
- <Possible follow-ups>
- Re: majordomo local exploit Olaf Kirch (Jan 03)
- Re: majordomo local exploit Dale Clark (Jan 03)
- Re: majordomo local exploit Chan Wilson (Jan 07)