mailing list archives
Re: majordomo local exploit
From: coolio () K-R4D COM (Coolio)
Date: Wed, 29 Dec 1999 19:28:40 -0700
On Wed, 29 Dec 1999, Taneli Huuskonen wrote:
-----BEGIN PGP SIGNED MESSAGE-----
"Todd C. Miller" <Todd.Miller () COURTESAN COM> wrote:
For those using perl 5.x, you can use sysopen() instead of the "magic"
perl open() to fix this.
I'm afraid that wouldn't help much, as you can supply any pathname as
the -C (configuration file) argument:
/path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl
I tested this with version 1.94.1, but the same behaviour seems to be
there in 1.94.4, as far as I can tell by the source.
There are numerous holes in majordomo's scripts. Most of them allow you to
specify an alternate .cf file, and that file is executed as
majordomo.daemon or majordomo.majordomo. A FreeBSD box I was doing testing
on had it running as group daemon, as INSTALL suggested, and because mrtg
was group daemon and 775 instead of 755 (I'm not sure if that's how mrtg
is installed by default) and mrtg is crontabbed to run as root every 5
minutes, this tiny hole in majordomo gives root to any local users.
To continue using majordomo I recommend a) fixing the open() hole Brock
Tellier found, and b) removing the ability to specify an alternate .cf
file from all the majordomo scripts.
Is there a safe way to allow users to specify an alternate majordomo.cf?