Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: majordomo local exploit
From: hno () HEM PASSAGEN SE (Henrik Nordstrom)
Date: Fri, 31 Dec 1999 03:39:21 +0100


Henrik Edlund wrote:

I'm afraid that wouldn't help much, as you can supply any pathname as
the -C (configuration file) argument:

      /path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl

I tested this with version 1.94.1, but the same behaviour seems to be
there in 1.94.4, as far as I can tell by the source.

This patch should take care of that problem:

Not quite. Your patch can be fooled by simple link trickery as there is
a race window between your check and the parsing of the configuration
file.

A better way is to stat the filehandle. This guarantees (on system
supporting fstat) that you get the information on the file about to be
read in rather than the information of a filename which may or may not
be the same file which is being read in.

--
Henrik Nordstrom



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]