Bugtraq mailing list archives
Re: majordomo local exploit
From: okir () LST DE (Olaf Kirch)
Date: Mon, 3 Jan 2000 15:22:01 +0100
On Thu, Dec 30, 1999 at 04:37:36AM +0100, Henrik Edlund wrote:
This patch should take care of that problem:
No it doesn't. Apart from the raceability others have pointed out there are a bunch of other scripts in the majordomo directory that also take a a -C and/or -c argument that lets you specify a config file. In addition, the conf-test script (which by default is also installed in the majordomo directory) accepts the name of the config file as its first argument. All these scripts can be executed by Joe User simply by running `$LIBDIR/wrapper scriptname' Apart from the config file handling, there's probably a whole lot of exciting stuff you can do with majordomo's command line arguments. For instance try /usr/lib/majordomo/wrapper resend -l ../../../../../tmp/toast root < /dev/null and admire the majordomo.majordomo owned file in your /tmp directory. By the same approach, you can fake a mailing list configuration by placing a toast.config file in your /tmp directory. You can modify this configuration to e.g. set the sender address (used in bounces generated by resend) to "foo () bar com -C/tmp/sendmail.cf". If you now pipe a message into resend that generates a bounce, resend will invoke "sendmail -tfoo () bar com -C/tmp/sendmail.cf" Sendmail in turn, given the -C flag, will drop root privs and do whatever you ask it to do as the invoking user--which is majordomo because wrapper.c has set the real uid and gid to majordomo. (NB: don't bother with silly shell specials--resend uses fork/exec rather than system()) Fixing majordomo should a) Put those scripts that ordinary users should be able to run with majordomo privileges into a separate directory. Normally, this should be the majordomo script itself, and resend. b) In wrapper.c, remove the ability to pass any arguments. other than -l listname (also refuse arguments starting with @, these have a special meaning for resend). Any other values one would potentially want to pass to resend and/or majordomo can be specified in the general config file. c) If a list name is given on the command line, ensure it's sane. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- Re: majordomo local exploit John Archie (Jan 01)
- <Possible follow-ups>
- Re: majordomo local exploit Olaf Kirch (Jan 03)
- Re: majordomo local exploit Dale Clark (Jan 03)
- Re: majordomo local exploit Chan Wilson (Jan 07)