Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: majordomo local exploit

From: henrik () EDLUND ORG (Henrik Edlund)
Date: Thu, 30 Dec 1999 04:37:36 +0100

On Wed, 29 Dec 1999, Taneli Huuskonen wrote:


-----BEGIN PGP SIGNED MESSAGE-----

"Todd C. Miller" <Todd.Miller () COURTESAN COM> wrote:


For those using perl 5.x, you can use sysopen() instead of the "magic"
perl open() to fix this.


I'm afraid that wouldn't help much, as you can supply any pathname as
the -C (configuration file) argument:

      /path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl

I tested this with version 1.94.1, but the same behaviour seems to be
there in 1.94.4, as far as I can tell by the source.


This patch should take care of that problem:

--- majordomo.old       Sat Oct  2 02:30:30 1999
+++ majordomo   Thu Dec 30 04:34:25 1999
@@ -44,6 +44,25 @@
     die("$cf not readable; stopped");
 }

+# Check if the cf file is owned by effective uid
+if ((stat($cf))[4] != $>) {
+    die("$cf not owned by effective uid; stopped");
+}
+
+# Check if the cf file is owned by effective gid
+$cfgid = (stat($cf))[5];
+$inlist = 0;
+foreach (split(/ /, $))) {
+    if ($cfgid == $_) {
+       $inlist = 1;
+       last;
+    }
+}
+if (! $inlist) {
+   die("$cf not owned by effective gid; stopped");
+}
+
+# Now we can read and execute the cf file
 require "$cf";

 # Go to the home directory specified by the .cf file

Comments?

--
Henrik Edlund
http://www.edlund.org/

  "They were in the wrong place at the wrong time.
Naturally they became heroes."
                  Leia Organa of Alderaan, Senator
Previous By Date Next
Previous By Thread Next

Current thread: