Bugtraq mailing list archives

Re: majordomo 1.94.5 does not fix all vulnerabilities

From: cwilson () NEU SGI COM (Chan Wilson)
Date: Tue, 25 Jan 2000 12:20:28 +0100


Brock Sides <bsides () TOWERY COM> spaketh thusly on Mon, 24 Jan 2000 14:55:42 -0600
        about majordomo 1.94.5 does not fix all vulnerabilities...

Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock
Tellier, that permits execution of arbitrary code as user majordomo, it
apparently does not fix the other bug in the script majordomo, that
permits execution of arbitrary config files as user majordomo:


Correct.  That is far better addressed at a o/s level by protecting
the directory that the majordomo code lives in.  A security note has
been added to the top of the INSTALL document that attempts to
highlight this matter:

        ** SECURITY ALERT **
        
           The default installation of Majordomo, including the checks that
        config-test does, WILL NOT RESULT IN A SECURE INSTALLATION.  In
        particular, the majordomo home directory and the "wrapper" program
        are, by default, accessible to any user.  These open privileges can be
        (mis)used to change list membership, list configuration details, forge
        email, perhaps even create and/or delete lists, and anything else that
        the majordomo user has permissions to do.
        
           If Majordomo is *NOT* installed on a secured system with controlled
        access (and if you are paranoid, even if it is), you will need to take
        additional steps to prevent access to the majordomo directories.
        Usually, changing the privileges of the majordomo home directory to be
        0750 fixes these problems, but creates the additional burden of
        needing to configure the MTA (sendmail, qmail, exim) properly so that
        it can read and execute "wrapper".  Such configuration is beyond the
        scope of this install document, and is left to the FAQ (Doc/FAQ,
        Doc/majordomo-faq.html) and the support group
        majordomo-users () greatcircle com to answer.
        
        ** SECURITY ALERT **

While it is possible, as has been posted earlier, to patch all the
code that uses the -C configuration file flag, *and* patch resend to
only allow execution of code in specific directories, *and* rework
code so it knows where to find the relocated code, it is far easier to
simply prevent access to the majordomo directory (including access
log, list configuration, membership, etc) which gives security from
both execution of arbitrary code *and* information security for the
distribution lists.

--Chan
        majordomo maintainer.

Current thread:

Re: usual iploggers miss some variable stealth scans David LeBlanc (Jan 18)
- <Possible follow-ups>
- Re: usual iploggers miss some variable stealth scans Hank Leininger (Jan 18)
- Re: usual iploggers miss some variable stealth scans Oliver Friedrichs (Jan 19)
  - Re: usual iploggers miss some variable stealth scans Ralf Laue (Jan 21)
  - Re: usual iploggers miss some variable stealth scans antirez (Jan 22)
    - Re: usual iploggers miss some variable stealth scans Theo de Raadt (Jan 23)
    - Security Bulletins Digest Aleph One (Jan 24)
    - majordomo 1.94.5 does not fix all vulnerabilities Brock Sides (Jan 24)
    - Re: majordomo 1.94.5 does not fix all vulnerabilities Chan Wilson (Jan 25)
    - Re: majordomo 1.94.5 does not fix all vulnerabilities Dave Barr (Jan 25)
    - Re: majordomo 1.94.5 does not fix all vulnerabilities Olaf Kirch (Jan 25)
    - Re: majordomo 1.94.5 does not fix all vulnerabilities Martin Mares (Jan 25)