ezmlm-idx Arbitrary Command Execution Vulnerability
BID:2053
Info
ezmlm-idx Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 2053 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 05 1980 12:00AM |
| Updated: | Dec 05 1980 12:00AM |
| Credit: | This vulnerability was first announced by vort-fu <[email protected]> on December 5, 2000. |
| Vulnerable: |
Fred Lindberg ezmlm-idx 0.40 |
| Not Vulnerable: | |
Discussion
ezmlm-idx Arbitrary Command Execution Vulnerability
ezmlm-idx is a mailing list manager addon to ezmlm, designed to allow archival, digesting, and remote administration. The package is specifically designed for use with the qmail MTA, and is written by Fred Lindberg and Fred B. Ringel. A problem exists which could allow a user to arbitrarily execute code.
The problem occurs in the ezmlm-cgi portion of the package. The recommended installation of ezmlm-cgi is as suid root, although this is deviated from frequently. After installing the program setuid to a user other than root, the program, when launched, will attempted to read it's configuration file from the current working directory, vice the default /etc/ezmlm/ directory. This makes it possible for a malicious user to arbitrarily execute commands with the privileges inherited by ezmlm-cgi.
ezmlm-idx is a mailing list manager addon to ezmlm, designed to allow archival, digesting, and remote administration. The package is specifically designed for use with the qmail MTA, and is written by Fred Lindberg and Fred B. Ringel. A problem exists which could allow a user to arbitrarily execute code.
The problem occurs in the ezmlm-cgi portion of the package. The recommended installation of ezmlm-cgi is as suid root, although this is deviated from frequently. After installing the program setuid to a user other than root, the program, when launched, will attempted to read it's configuration file from the current working directory, vice the default /etc/ezmlm/ directory. This makes it possible for a malicious user to arbitrarily execute commands with the privileges inherited by ezmlm-cgi.
Exploit / POC
ezmlm-idx Arbitrary Command Execution Vulnerability
See discussion.
See discussion.
Solution / Fix
ezmlm-idx Arbitrary Command Execution Vulnerability
Solution:
The recommended installation encourages installation of the program SUID root. A temporary work around is either changing the program to setuid root, or disabling it altogether.
The following patches are available:
Fred Lindberg ezmlm-idx 0.40
Solution:
The recommended installation encourages installation of the program SUID root. A temporary work around is either changing the program to setuid root, or disabling it altogether.
The following patches are available:
Fred Lindberg ezmlm-idx 0.40
-
Fred Lindberg ezmlm-cgi.patch
ftp://ftp.ezmlm.org/pub/patches/ezmlm-cgi.patch -
Fred Lindberg manpage ezmlm-cgi.1
ftp://ftp.ezmlm.org/pub/patches/ezmlm-cgi.1 -
Fred Lindberg source ezmlm-cgi.c
ftp://ftp.ezmlm.org/pub/patches/ezmlm-cgi.c