Bugtraq mailing list archives

Re: majordomo 1.94.5 does not fix all vulnerabilities

From: okir () CALDERA DE (Olaf Kirch)
Date: Tue, 25 Jan 2000 15:56:09 +0100


On Mon, Jan 24, 2000 at 02:55:42PM -0600, Brock Sides wrote:

Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock
Tellier, that permits execution of arbitrary code as user majordomo, it
apparently does not fix the other bug in the script majordomo, that
permits execution of arbitrary config files as user majordomo:


There are a number of ways to get majordomo to execute your perl code.
I mailed the developers a list of things I consider insecure
(like being able to give it a list name of ../../../../tmp/foo, and
it'll create /tmp/foo as majordomo). Other cool things include

wrapper config-test <your perl script file here>

You see, the recommended installation doesn't even distinguish
between debugging and production code -- anybody can run anything
in the majordomo directory with majordomo privs.

Another candidate is archive2.pl which has loads of funny options.
At least let's you write arbitrary files as user majordomo. Your
/usr/lib/majordomo directory owned by majordomo? Great--trojan the
wrapper binary and gain group daemon privilege from sendmail.

Their response to this has been that you should install wrapper
without world execute bit. On a sendmail system this means you
need to make it owned by group daemon so that sendmail can run it
(provided you run it from /etc/aliases):

        chmod root.daemon wrapper
        chmod 4550 wrapper

If you think about it, this makes daemon and majordomo accounts
interchangeable. If I break daemon, I can become majordomo because of
all the holes in it. If I can become majordomo, I can also become
daemon--I just have to replace the wrapper program with my own binary
(the majordomo directory is owned by majordomo in the default install).

I consider this broken, but I haven't been able to get more out of
them. That and the license that basically keeps us from shipping a
modified majordomo makes me seriously think about whether we shouldn't
just drop it altogether.

Olaf

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Current thread:

Re: usual iploggers miss some variable stealth scans David LeBlanc (Jan 18)
- <Possible follow-ups>
- Re: usual iploggers miss some variable stealth scans Hank Leininger (Jan 18)
- Re: usual iploggers miss some variable stealth scans Oliver Friedrichs (Jan 19)
  - Re: usual iploggers miss some variable stealth scans Ralf Laue (Jan 21)
  - Re: usual iploggers miss some variable stealth scans antirez (Jan 22)
    - Re: usual iploggers miss some variable stealth scans Theo de Raadt (Jan 23)
    - Security Bulletins Digest Aleph One (Jan 24)
    - majordomo 1.94.5 does not fix all vulnerabilities Brock Sides (Jan 24)
    - Re: majordomo 1.94.5 does not fix all vulnerabilities Chan Wilson (Jan 25)
    - Re: majordomo 1.94.5 does not fix all vulnerabilities Dave Barr (Jan 25)
    - Re: majordomo 1.94.5 does not fix all vulnerabilities Olaf Kirch (Jan 25)
    - Re: majordomo 1.94.5 does not fix all vulnerabilities Martin Mares (Jan 25)