majordomo_leakage.txt

2003-02-04T00:00:00
ID PACKETSTORM:30779
Type packetstorm
Reporter Marco van Berkum
Modified 2003-02-04T00:00:00

Description

                                        
                                            `-------------------------------------------------------------------------------   
Title : Majordomo info leakage (all versions)   
Date : 03/02/2003   
Article by : Marco van Berkum (m.v.berkum@obit.nl)   
Bug finder : Jakub Klausa (jacke@bofh.pl)   
Investigated by : Jakub Klausa and Marco van Berkum   
-------------------------------------------------------------------------------   
  
Introduction:  
--------------  
Some while ago Jakub Klausa mailed me about a problem regarding the  
Majordomo mailinglist program. At first we were not sure if it was a one  
time problem or a common issue, so we checked several other servers  
and installed Majordomo ourselves and found ALL Majordomo versions to  
be vulnerable, also the latest Majordomo 2 (alpha).  
  
The problem:  
---------------  
All email addresses can be extracted from mailinglists for which  
'which_access' is set to "open" in the configuration file, which_access  
is set to "open" by default !!  
  
Majordomo 1.94.5 documentation quote:  
  
"8. By default, anyone (even non-subscribers) can use the commands  
"who", "which", "index", and "get" on a list. If you create an  
empty file named "listname.private" in the $listdir directory, only  
members of the list can use those commands."  
  
Typical case of RTFDOC of course, but still, why isn't the private  
configuration file the default one (?!), now people actually have to read  
the documentation to protect their lists against evil spammers. We all  
know that admins do not always read the docs (uhuh).  
  
So this bug can be exploited without being subscribed to any mailinglist  
on that server when "which_access" is set to open. This bug can be exploited  
by sending:  
  
which @  
  
or  
  
which .  
  
To the Majordomo daemon. Majordomo will then match "@" (or ".") on all the  
mailinglists that have 'which_access' set to "open". This then matches  
all email addresses that are subscribed to that list.  
  
There is a slight difference between the new Majordomo 2 (alpha) and the  
current Majordomo 1.94.x branch.  
  
Majordomo 1.94.x gives output such as this:  
  
>>>> which @  
The string '@' appears in the following  
entries in lists served by majordomo@somedomain.com:  
  
List Address  
==== =======  
test-list user@somedomain.com  
test-list anotheruser@anotherdomain.com  
another-list satan@evilmajordomodomain.net  
another-list bush@sopranos.org  
  
etc...  
  
Majordomo 2 also has the bug, not as much as the 1.94.x though:  
  
>>>> which @  
The pattern "/\@/i"  
matched the following subscriptions.  
  
Matches for the devils mailing list:  
satan@majordomo.org  
-- Match limit of 1 for devils exceeded.  
  
Matches for the britney mailing list:  
eminem@spears.net  
-- Match limit of 1 for britney exceeded.  
  
Impact:  
-------  
High. Not only privacy is the issue here, this bug could be used by evil  
spammers to fill their databases. And the users did much of their work for   
them already, as the victims are usually well targeted (subject-specific   
mailinglists come to mind).  
  
Solution:  
---------  
general:   
Read the documentation regarding $listname.private and set all which_access   
to "closed", or update to Majordomo 2 alpha, which still requires the same attention.  
  
Majordomo 1.94.5 and earlier:  
As mentioned by the documentation that comes with Majordomo 1.94.5,   
create an empty file named "$listname.private" in the $listdir.   
It will only reduce the group of people being able to pick up all the addresses  
to the ones subscribed to the list. Check your current configurations for   
open which_access, close them.   
  
Majordomo 2:  
The authors responded quickly and changed default configuration settings   
to be "closed". Get the latest CVS version, and check your current   
configurations for open which_access, which_access should be closed at   
any time.  
  
Jakub made a patch for Majordomo 1.94.5.  
  
[Patch]  
This is a patch for Majordomo 1.94.5, which makes the Majordomo   
ignore the 'which' request if they don't contain e-mail address-like  
string as a parameter (roughly).  
  
  
--- majordomo.orig Mon Feb 3 13:23:45 2003  
+++ majordomo Mon Feb 3 13:23:23 2003  
@@ -624,6 +624,11 @@  
  
sub do_which {  
local($subscriber) = join(" ", @_) || &valid_addr($reply_to);  
+ if ($subscriber !~ /^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+\.[a-zA-Z]{2,3}$/) {  
+   
+ &log("which abuse -> $subscriber passed as an argument.");  
+ exit(0);  
+ };  
local($count, $per_list_hits) = 0;  
# Tell the requestor which lists they are on by reading through all  
# the lists, comparing their address to each address from each list  
  
  
Cheers  
  
Marco van Berkum / http://ws.obit.nl / m.v.berkum@obit.nl  
Jakub Klausa / jacke@bofh.pl  
  
--   
find / -user your -name base -exec chown us:us {}\;  
----------------------------------------  
| Marco van Berkum / MB17300-RIPE |  
| m.v.berkum@obit.nl / http://ws.obit.nl |  
----------------------------------------  
`