Bugtraq mailing list archives
Re: majordomo local exploit
From: henrik () EDLUND ORG (Henrik Edlund)
Date: Thu, 30 Dec 1999 04:37:36 +0100
On Wed, 29 Dec 1999, Taneli Huuskonen wrote:
-----BEGIN PGP SIGNED MESSAGE----- "Todd C. Miller" <Todd.Miller () COURTESAN COM> wrote:For those using perl 5.x, you can use sysopen() instead of the "magic" perl open() to fix this.I'm afraid that wouldn't help much, as you can supply any pathname as the -C (configuration file) argument: /path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl I tested this with version 1.94.1, but the same behaviour seems to be there in 1.94.4, as far as I can tell by the source.
This patch should take care of that problem: --- majordomo.old Sat Oct 2 02:30:30 1999 +++ majordomo Thu Dec 30 04:34:25 1999 @@ -44,6 +44,25 @@ die("$cf not readable; stopped"); } +# Check if the cf file is owned by effective uid +if ((stat($cf))[4] != $>) { + die("$cf not owned by effective uid; stopped"); +} + +# Check if the cf file is owned by effective gid +$cfgid = (stat($cf))[5]; +$inlist = 0; +foreach (split(/ /, $))) { + if ($cfgid == $_) { + $inlist = 1; + last; + } +} +if (! $inlist) { + die("$cf not owned by effective gid; stopped"); +} + +# Now we can read and execute the cf file require "$cf"; # Go to the home directory specified by the .cf file Comments? -- Henrik Edlund http://www.edlund.org/ "They were in the wrong place at the wrong time. Naturally they became heroes." Leia Organa of Alderaan, Senator
Current thread:
- L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1, (continued)
- L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1 Mudge (Dec 27)
- UnixWare local pis exploit Brock Tellier (Dec 27)
- Third Party Software Affected by IIS "Escape Character Parsing" V ulnerability Microsoft Product Security Response Team (Dec 28)
- majordomo local exploit Brock Tellier (Dec 28)
- $cf Security flaw Shevek (Dec 02)
- Re: majordomo local exploit Christopher Schulte (Dec 28)
- Re: majordomo local exploit Todd C. Miller (Dec 28)
- AltaVista rudi carell (Dec 29)
- Re: majordomo local exploit Taneli Huuskonen (Dec 29)
- Re: majordomo local exploit Coolio (Dec 29)
- Re: majordomo local exploit Henrik Edlund (Dec 29)
- bna,sh Loneguard (Dec 30)
- Re: majordomo local exploit Andrew Brown (Dec 30)
- Re: majordomo local exploit Henrik Nordstrom (Dec 30)
- Fix for HP-UX automountd/autofs exploit (fwd) Doug Siebert (Dec 30)
- Re: Fix for HP-UX automountd/autofs exploit (fwd) LaMont Jones (Dec 31)
- vibackup.sh Loneguard (Dec 31)
- More info on MS99-061 (IIS escape character vulnerability) .rain.forest.puppy. (Dec 29)
- Follow UP AltaVista rudi carell (Dec 30)
- Re: majordomo local exploit Brock Sides (Dec 29)