Vulners
Lucene search
Majordomo2 Directory Traversal
🗓️ 08 Mar 2011 00:00:00Reported by Nikolas SotiriuType 
packetstorm🔗 packetstormsecurity.com👁 49 Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2011-0063 | 3 Feb 201100:00 | – | circl |
 | CVE-2011-0063 | 15 Mar 201117:00 | – | cve |
 | CVE-2011-0063 | 15 Mar 201117:00 | – | cvelist |
 | DSquare Exploit Pack: D2SEC_MAJORDOMO2 | 15 Mar 201117:55 | – | d2 |
 | Majordomo 2 File Disclosure | 27 Apr 201200:00 | – | dsquare |
 | Majordomo 2 _list_file_get() Function Traversal Arbitrary File Access | 16 Feb 201100:00 | – | nessus |
 | Majordomo2 _list_file_get() Directory Traversal | 12 Mar 201116:38 | – | metasploit |
 | CVE-2011-0063 | 15 Mar 201117:55 | – | nvd |
 | Majordomo2 Directory Traversal Vulnerability | 7 Feb 201100:00 | – | openvas |
| Majordomo2 _list_file_get() Directory Traversal | 1 Sep 202400:00 | – | packetstorm |
10
`______________________________________________________________________
-------------------------- NSOADV-2011-003 ---------------------------
Majordomo2 'help' Command Directory Traversal (Patch Bypass)
______________________________________________________________________
______________________________________________________________________
111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
11111 0 11 01 0 11 1 1 111011001
11111111101 1 11 0110111 1 1111101111
1001 0 1 10 11 0 10 11 1111111 1 111 111001
111111111 0 10 1111 0 11 11 111111111 1 1101 10
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011
0111111110 0110 1110 1 0 11101111111111111011 11100 00
01111 0 10 1110 1 011111 1 111111111111111111111101 01
01110 0 10 111110 110 0 11101111111111111111101111101
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1 1 111 1 10011 101111111111011111111 0 1100
111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111
______________________________________________________________________
______________________________________________________________________
Title: Majordomo2 'help' Command Directory Traversal
Severity: Medium
Advisory ID: NSOADV-2011-003
CVE: CVE-2011-0063
Found Date: 03.02.2011
Date Reported: 03.02.2011
Release Date: 19.02.2011
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website: http://sotiriu.de/
Twitter: http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt
Vendor/Project: http://www.mj2.org/
Affected Products: majordomo2 <= 20110203
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===========
Majordomo 2 is an upwardly-compatible rewrite of the popular majordomo
mailing list manager software by Jason Tibbitts and Michael Yount.
Description:
============
Majordomo2 <= 20110203 is affected by a Directory Traversal
vulnerability due to parameter 'extra' of the 'help' command in the
function '_list_file_get()' is not properly sanitized.
The original bug was made public on 03.02.2011 by Michael Brooks
of sitewat.ch:
https://sitewat.ch/en/Advisory/View/1
https://bugzilla.mozilla.org/show_bug.cgi?id=628064
I discovered, that the patch, which is in the CVS since version 20110125
don't protect against the Directory Traversal bug.
https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481
The diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes
'../' from $file. Bypassing this regex is quiet simple by using './.../'
insted '../'.
Proof of Concept :
==================
HTTP:
http://<target>/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&
extra=./..././..././..././..././..././..././..././.../etc/passwd
SMTP:
help ./..././..././..././..././..././..././..././.../etc/passwd
Solution:
=========
Update to Majordomo2 >= 20110204
http://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz
References:
===========
Sitewatch Advisory: https://sitewat.ch/en/Advisory/View/1
Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064
Patch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307
Disclosure Timeline (YYYY/MM/DD):
=================================
2011.02.03: Patch bypass vulnerability found
2011.02.03: Informed security [at] mozilla.org
2011.02.03: Mozilla opend Bug 631307 in bugzilla
2011.02.03: Jason Tibbitts comitted a fix (Sorry again)
2011.02.04: Snapshot available for download
2011.02.04: Discuss the public disclosure
2011.03.04: Got the Bug Bounty Money
2011.03.08: Release of Advisory
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Mar 2011 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.89981