Majordomo-Workers: 1.94.4 security hole with :include:syslog

Majordomo-Workers
(December 1997)

Indexed By Thread: [Previous] [Next]

Subject:	1.94.4 security hole with :include:syslog
From:	mhpower @ MIT . EDU
Date:	Mon, 08 Dec 1997 00:39:43 EST
To:	Majordomo-Workers @ GreatCircle . COM

Using Majordomo 1.94.4, I noticed it was possible for a list owner to
subscribe the address :include:syslog to a list, e.g., I get:

   >>>> approve mylist.admin subscribe mylist :include:syslog
   Succeeded.

If this is done on a machine running sendmail, and there's some way to
send mail to the members of mylist, e.g., an aliases entry of

   mylist: :include:/usr/test/majordomo/lists/mylist

then each of the lines in the file syslog is now a recipient address
for mail to mylist. The file syslog is searched for in sendmail's
queue directory, i.e., the pathname "syslog" is typically
equivalent to "/usr/spool/mqueue/syslog" -- except of course it
can be used without getting a "HOSTILE ADDRESS" abort.

In many environments, /usr/spool/mqueue/syslog is where sendmail's
syslog data is stored. It often contains information that one wouldn't
want to distribute to outsiders, e.g., the addresses of everyone who
receives mail from the local machine. On the other hand, it's common
to have /usr/spool/mqueue/syslog mode 644 (letting non-root users
include it), especially if the file is supposed to be accessible only
by people who have local accounts (e.g., the owners of the very small
number of local accounts on a dedicated mail-server machine).

However, once a list owner has subscribed :include:syslog to his list,
he can then send mail to the list and will likely receive many bounce
messages that divulge the contents of /usr/spool/mqueue/syslog. For
example, one of the bounce messages I received contained:

  <Dec.7.22:27:00.host.sendmail[14275]:WAA14274:to=mhpower@host.mit.edu>:
  Sorry, no mailbox here by that name. (#5.1.1)

I think it's important to be able to deny list owners (i.e., the ones
who don't have local accounts) the ability to access the contents of
/usr/spool/mqueue/syslog without mandating that the permissions on
/usr/spool/mqueue/syslog be stricter than 644. Because of this, I
think the majordomo.pl in the standard distribution should be changed
to produce a "HOSTILE ADDRESS" abort upon any attempt to subscribe an
address beginning with ":include:".

Matt Power
mhpower@mit.edu

Follow-Ups:

Re: 1.94.4 security hole with :include:syslog
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Re: 1.94.4 security hole with :include:syslog
From: Dave Wolfe <dwolfe@risc.sps.mot.com>

Indexed By Date	Previous:	Multiple email interfaces From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Date	Next:	Re: "spamgard". sheesh. From: Dave Voorhis <dave@armchair.mb.ca>
Indexed By Thread	Previous:	Multiple email interfaces From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread	Next:	Re: 1.94.4 security hole with :include:syslog From: Dave Wolfe <dwolfe@risc.sps.mot.com>