Bugtraq mailing list archives
Re: majordomo local exploit
From: coolio () K-R4D COM (Coolio)
Date: Wed, 29 Dec 1999 19:28:40 -0700
On Wed, 29 Dec 1999, Taneli Huuskonen wrote:
-----BEGIN PGP SIGNED MESSAGE----- "Todd C. Miller" <Todd.Miller () COURTESAN COM> wrote:For those using perl 5.x, you can use sysopen() instead of the "magic" perl open() to fix this.I'm afraid that wouldn't help much, as you can supply any pathname as the -C (configuration file) argument: /path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl I tested this with version 1.94.1, but the same behaviour seems to be there in 1.94.4, as far as I can tell by the source. Taneli Huuskonen
There are numerous holes in majordomo's scripts. Most of them allow you to specify an alternate .cf file, and that file is executed as majordomo.daemon or majordomo.majordomo. A FreeBSD box I was doing testing on had it running as group daemon, as INSTALL suggested, and because mrtg was group daemon and 775 instead of 755 (I'm not sure if that's how mrtg is installed by default) and mrtg is crontabbed to run as root every 5 minutes, this tiny hole in majordomo gives root to any local users. To continue using majordomo I recommend a) fixing the open() hole Brock Tellier found, and b) removing the ability to specify an alternate .cf file from all the majordomo scripts. Is there a safe way to allow users to specify an alternate majordomo.cf? - Coolio
Current thread:
- Trend Micro InterScan VirusWall SMTP bug, (continued)
- Trend Micro InterScan VirusWall SMTP bug asl () USA ALCATEL COM (Dec 27)
- L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1 Mudge (Dec 27)
- UnixWare local pis exploit Brock Tellier (Dec 27)
- Third Party Software Affected by IIS "Escape Character Parsing" V ulnerability Microsoft Product Security Response Team (Dec 28)
- majordomo local exploit Brock Tellier (Dec 28)
- $cf Security flaw Shevek (Dec 02)
- Re: majordomo local exploit Christopher Schulte (Dec 28)
- Re: majordomo local exploit Todd C. Miller (Dec 28)
- AltaVista rudi carell (Dec 29)
- Re: majordomo local exploit Taneli Huuskonen (Dec 29)
- Re: majordomo local exploit Coolio (Dec 29)
- Re: majordomo local exploit Henrik Edlund (Dec 29)
- bna,sh Loneguard (Dec 30)
- Re: majordomo local exploit Andrew Brown (Dec 30)
- Re: majordomo local exploit Henrik Nordstrom (Dec 30)
- Fix for HP-UX automountd/autofs exploit (fwd) Doug Siebert (Dec 30)
- Re: Fix for HP-UX automountd/autofs exploit (fwd) LaMont Jones (Dec 31)
- vibackup.sh Loneguard (Dec 31)
- More info on MS99-061 (IIS escape character vulnerability) .rain.forest.puppy. (Dec 29)
- Follow UP AltaVista rudi carell (Dec 30)
- Re: majordomo local exploit Brock Sides (Dec 29)