Bugtraq mailing list archives
Majordomo /tmp exploit
From: ovrneith () tqgnet com (Karl G - NOC Admin)
Date: Thu, 26 Mar 1998 15:03:28 -0600
-=desc=- Majordomo allows appending to any file owned by the majordomo user/group. -=x-ploit=- create a symlink in /tmp to any majordomo file ex: ln -s /usr/lib/majordomo/majordomo /tmp/majordomo.debug send a message with any emailer to majordomo with a "/" in the return address. (i tested with Winbloze Internet Mail) ex: blah/1234 () yourdomain com the owner of majordomo will receive the below message... from then on, majordomo will be inoperable. (if the above symlink is used) Majordomo keeps a debug log and appends to it every time it crashes with out checking ownerships of the symlinks.. or for that matter for symlinks at all. --snip-- Subject: MAJORDOMO ABORT (mj_majordomo) -- MAJORDOMO ABORT (mj_majordomo)!! HOSTILE ADDRESS (no x400 c=) blah/34234 () domain com --snip-- -=fix=- should the wrapper not check for such things? party on. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Karl Grindley ICQ: 2660211 Network Administrator TQG Internet Network
Current thread:
- Re: apache+ssl 1.13 symlink problem Ben Laurie (Mar 24)
- Re: apache+ssl 1.13 symlink problem; NcFTP 2.4.2+ Mike Gleason (Mar 24)
- Clarification Mike Gleason (Mar 24)
- Protocol Aleph One (Mar 24)
- SECURITY: new svgalib and kbd now available Erik Troan (Mar 25)
- Sumbit Internet Account v1.1 Dax Kelson (Mar 25)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
- FW: mysql: Trivial mSQL/MySQL DoS method? (fwd) Michael Widenius (Mar 26)
- Re: Majordomo /tmp exploit Steven Pritchard (Mar 26)
- easy DoS in most RPC apps Peter van Dijk (Mar 28)
- Netscape passes mailbox path and message ID as refferer Rop Gonggrijp (Mar 28)
- Hole. HKirk (Mar 28)
- Rhino9: WinGate Vulnerability Aleph One (Mar 29)
- MySQL Security Sandu Mihai (Mar 29)
- Re: MySQL Security Aleph One (Mar 29)
- Eudora Pro 4.0 attachment/long filename problem whiz (Mar 29)
- mysql: MySQL Security Michael Widenius (Mar 29)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)