Re: majordomo 1.94.5 does not fix all vulnerabilities

From: Chan Wilson (cwilsonat_private)
Date: Tue Jan 25 2000 - 03:20:28 PST

Next message: Camillo Särs: "Re: Windows 2000 Run As... Feature"

Previous message: John Duksta: "Re: Nortel Contivity Vulnerability: typo"
Maybe in reply to: Brock Sides: "majordomo 1.94.5 does not fix all vulnerabilities"
Next in thread: Dave Barr: "Re: majordomo 1.94.5 does not fix all vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Brock Sides <bsidesat_private> spaketh thusly on Mon, 24 Jan 2000 14:55:42 -0600
	about majordomo 1.94.5 does not fix all vulnerabilities...
> Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock
> Tellier, that permits execution of arbitrary code as user majordomo, it
> apparently does not fix the other bug in the script majordomo, that
> permits execution of arbitrary config files as user majordomo:

Correct.  That is far better addressed at a o/s level by protecting
the directory that the majordomo code lives in.  A security note has
been added to the top of the INSTALL document that attempts to
highlight this matter:

	** SECURITY ALERT **
	
	   The default installation of Majordomo, including the checks that
	config-test does, WILL NOT RESULT IN A SECURE INSTALLATION.  In
	particular, the majordomo home directory and the "wrapper" program
	are, by default, accessible to any user.  These open privileges can be
	(mis)used to change list membership, list configuration details, forge
	email, perhaps even create and/or delete lists, and anything else that
	the majordomo user has permissions to do.
	
	   If Majordomo is *NOT* installed on a secured system with controlled
	access (and if you are paranoid, even if it is), you will need to take
	additional steps to prevent access to the majordomo directories.
	Usually, changing the privileges of the majordomo home directory to be
	0750 fixes these problems, but creates the additional burden of
	needing to configure the MTA (sendmail, qmail, exim) properly so that
	it can read and execute "wrapper".  Such configuration is beyond the
	scope of this install document, and is left to the FAQ (Doc/FAQ,
	Doc/majordomo-faq.html) and the support group
	majordomo-usersat_private to answer.
	
	** SECURITY ALERT **

While it is possible, as has been posted earlier, to patch all the
code that uses the -C configuration file flag, *and* patch resend to
only allow execution of code in specific directories, *and* rework
code so it knows where to find the relocated code, it is far easier to
simply prevent access to the majordomo directory (including access
log, list configuration, membership, etc) which gives security from
both execution of arbitrary code *and* information security for the
distribution lists.

--Chan
	majordomo maintainer.

Next message: Camillo Särs: "Re: Windows 2000 Run As... Feature"
Previous message: John Duksta: "Re: Nortel Contivity Vulnerability: typo"
Maybe in reply to: Brock Sides: "majordomo 1.94.5 does not fix all vulnerabilities"
Next in thread: Dave Barr: "Re: majordomo 1.94.5 does not fix all vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:20 PDT