Re: majordomo local exploit

From: Olaf Kirch (okirat_private)
Date: Mon Jan 03 2000 - 06:22:01 PST

Next message: Kristian Koehntopp: "PHP3 safe_mode and popen()"

Previous message: AVsearch: "FW: Patch issued for AltaVista Search Engine Directory"
Next in thread: Dale Clark: "Re: majordomo local exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 30, 1999 at 04:37:36AM +0100, Henrik Edlund wrote:
> This patch should take care of that problem:

No it doesn't. Apart from the raceability others have pointed out
there are a bunch of other scripts in the majordomo directory
that also take a a -C and/or -c argument that lets you specify a
config file. In addition, the conf-test script (which by default
is also installed in the majordomo directory) accepts the name
of the config file as its first argument. All these scripts can
be executed by Joe User simply by running `$LIBDIR/wrapper scriptname'

Apart from the config file handling, there's probably a whole lot
of exciting stuff you can do with majordomo's command line arguments.
For instance try

/usr/lib/majordomo/wrapper resend -l ../../../../../tmp/toast root < /dev/null

and admire the majordomo.majordomo owned file in your /tmp
directory.

By the same approach, you can fake a mailing list configuration by
placing a toast.config file in your /tmp directory. You can modify
this configuration to e.g. set the sender address (used in bounces
generated by resend) to "fooat_private -C/tmp/sendmail.cf". If you
now pipe a message into resend that generates a bounce, resend
will invoke "sendmail -tfooat_private -C/tmp/sendmail.cf" Sendmail in
turn, given the -C flag, will drop root privs and do whatever you ask
it to do as the invoking user--which is majordomo because wrapper.c
has set the real uid and gid to majordomo.

(NB: don't bother with silly shell specials--resend uses fork/exec
rather than system())

Fixing majordomo should

 a)	Put those scripts that ordinary users should be able
	to run with majordomo privileges into a separate
	directory. Normally, this should be the majordomo
	script itself, and resend.

 b)	In wrapper.c, remove the ability to pass any arguments.
	other than -l listname (also refuse arguments starting
	with @, these have a special meaning for resend).

	Any other values one would potentially want to pass to resend
	and/or majordomo can be specified in the general config file.

 c)	If a list name is given on the command line, ensure
	it's sane.

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okirat_private  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okirat_private    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Next message: Kristian Koehntopp: "PHP3 safe_mode and popen()"
Previous message: AVsearch: "FW: Patch issued for AltaVista Search Engine Directory"
Next in thread: Dale Clark: "Re: majordomo local exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:41 PDT