Bugtraq mailing list archives
Security hole in MajorCool 1.0.3
From: dszd0g () DASB FHDA EDU (Benjamin J Stassart)
Date: Wed, 18 Jun 1997 04:22:52 -0700
-----BEGIN PGP SIGNED MESSAGE----- Brief Description - ----------------- The mj_key_cache program that comes with MajorCool 1.0.3 and earlier writes to /tmp/cache without proper checking. Impact - ------ Systems running MajorCool 1.0.3 and below with the mj_key_cache program cron'd as necessary for most operation are vulnerable. This vulnerability allows any user on the local system to corrupt any file writable by the user and group mj_key_cache runs as. This is usually majordom/majordom although is set at installation. Fix - --- Patch the mj_key_cache program using the diff written by a fellow system administrator, Ash <ash () dasb fhda edu>, at the bottom of this message or upgrade to the next release of MajorCool when it becomes available. We have been in contact with Mr. Houle and he said he that will incorporate Ash's changes in the next release of MajorCool. Full Description - ---------------- mj_key_cache is a cron job for MajorCool that stores list information in ~majordom/lists/.majorcool_cache to be used by the majordomo cgi perl script. The following line from mj_key_cache is where the vulnerability is: open(TMP, ">/tmp/cache") || &squawk("Could not open cache"); This can be exploited by creating a symbolic link from /tmp/cache to the file that is to be corrupted. Ash rewrote mj_key_cache to avoid using a temp file altogether. mj_key_cache diff rewritten by ash () dasb fhda edu - ------------------------------------------- *** mj_key_cache Fri May 30 17:21:48 1997 - --- mj_key_cache.orig Tue May 27 20:14:45 1997 *************** *** 71,77 **** @lists = readdir(RD_DIR); closedir(RD_DIR); ! open(CACHE, "> $cache") || &squawk("Could not open cache"); foreach (sort @lists) { local($list) = $_; $list =~ s,^.*/,,; # strip off leading path - --- 71,77 ---- @lists = readdir(RD_DIR); closedir(RD_DIR); ! open(TMP, ">/tmp/cache") || &squawk("Could not open cache"); foreach (sort @lists) { local($list) = $_; $list =~ s,^.*/,,; # strip off leading path *************** *** 84,101 **** local($policy) = $config_opts{$list,'subscribe_policy'}; local($advertise) = $config_opts{$list,'advertise'}; local($noadvertise) = $config_opts{$list,'noadvertise'}; ! push @TMP, "$list#$owner#$policy#$desc#$advertise#$noadvertise\n"; } ! print CACHE @TMP; ! close(CACHE); ! #if ( -s "/tmp/cache" ) { ! # system("cp /tmp/cache $cache; rm /tmp/cache"); printf STDERR "$main'program_name: cache complete\n" if $verbose; ! #} ! #else { ! # &squawk("Key cache file empty: /tmp/cache"); ! #} # free_lock is only 1.94 &free_lock("$listdir/.cache.LOCK") if defined(&free_lock); - --- 84,100 ---- local($policy) = $config_opts{$list,'subscribe_policy'}; local($advertise) = $config_opts{$list,'advertise'}; local($noadvertise) = $config_opts{$list,'noadvertise'}; ! print TMP "$list#$owner#$policy#$desc#$advertise#$noadvertise\n"; } ! close(TMP); ! if ( -s "/tmp/cache" ) { ! system("cp /tmp/cache $cache; rm /tmp/cache"); printf STDERR "$main'program_name: cache complete\n" if $verbose; ! } ! else { ! &squawk("Key cache file empty: /tmp/cache"); ! } # free_lock is only 1.94 &free_lock("$listdir/.cache.LOCK") if defined(&free_lock); - ------------------------------------------------------------------- end of mj_key_cache diff Benjamin J. Stassart - ------------------------------------------------+ A great many people think they are thinking | when they are merely rearranging their | prejudices | -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBM6fFD5ePz5nhUoJ9AQGBoQP/ZYYhsaxNfj3iFfMGoRyp2nGGa7hRpz3z xcphSnFed75DRxctnZHNJYaQeKqzFZXIP0MmxGI5WpZw+E1dByX2JSATcRloLt0x pseA1a8bDkIMCQt/eZ/3zs+dlmm1fmAeh94nheETIUwEUvMvv/2Zy/gSvWyBSbgL vRS4JGUVGgU= =F3sK -----END PGP SIGNATURE-----
Current thread:
- Wrapper v2 released Joe Zbiciak (Jun 15)
- Netscape Admin Servers /tmp/deamonstat Yucel (Jun 17)
- Netscape Admin Servers *not vulnerable* Marcin Cieslak (Jun 17)
- Security hole in MajorCool 1.0.3 Benjamin J Stassart (Jun 18)
- ANNOUNCE: qmail Security Challenge Dave Sill (Jun 18)
- Seyon vulnerability - IRIX Shawn Hillis (Jun 17)
- Netscape Admin Servers /tmp/deamonstat Yucel (Jun 17)