Re: majordomo 1.94.5 does not fix all vulnerabilities

From: Olaf Kirch (okirat_private)
Date: Tue Jan 25 2000 - 06:56:09 PST

Next message: David LeBlanc: "Re: Windows 2000 Run As... Feature"

Previous message: Oinos: "Re: VMware 1.1.2 Symlink Vulnerability"
Maybe in reply to: Brock Sides: "majordomo 1.94.5 does not fix all vulnerabilities"
Next in thread: Martin Mares: "Re: majordomo 1.94.5 does not fix all vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 24, 2000 at 02:55:42PM -0600, Brock Sides wrote:
> Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock
> Tellier, that permits execution of arbitrary code as user majordomo, it
> apparently does not fix the other bug in the script majordomo, that
> permits execution of arbitrary config files as user majordomo:

There are a number of ways to get majordomo to execute your perl code.
I mailed the developers a list of things I consider insecure
(like being able to give it a list name of ../../../../tmp/foo, and
it'll create /tmp/foo as majordomo). Other cool things include

wrapper config-test <your perl script file here>

You see, the recommended installation doesn't even distinguish
between debugging and production code -- anybody can run anything
in the majordomo directory with majordomo privs.

Another candidate is archive2.pl which has loads of funny options.
At least let's you write arbitrary files as user majordomo. Your
/usr/lib/majordomo directory owned by majordomo? Great--trojan the
wrapper binary and gain group daemon privilege from sendmail.

Their response to this has been that you should install wrapper
without world execute bit. On a sendmail system this means you
need to make it owned by group daemon so that sendmail can run it
(provided you run it from /etc/aliases):

	chmod root.daemon wrapper
	chmod 4550 wrapper

If you think about it, this makes daemon and majordomo accounts
interchangeable. If I break daemon, I can become majordomo because of
all the holes in it. If I can become majordomo, I can also become
daemon--I just have to replace the wrapper program with my own binary
(the majordomo directory is owned by majordomo in the default install).

I consider this broken, but I haven't been able to get more out of
them. That and the license that basically keeps us from shipping a
modified majordomo makes me seriously think about whether we shouldn't
just drop it altogether.

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okirat_private  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okirat_private    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Next message: David LeBlanc: "Re: Windows 2000 Run As... Feature"
Previous message: Oinos: "Re: VMware 1.1.2 Symlink Vulnerability"
Maybe in reply to: Brock Sides: "majordomo 1.94.5 does not fix all vulnerabilities"
Next in thread: Martin Mares: "Re: majordomo 1.94.5 does not fix all vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:26 PDT