COMMAND

    majordomo

SYSTEMS AFFECTED

    Systems running majordomo

PROBLEM

    Karl Grindley  posted another  /tmp exploit.   This one  regarding
    majordomo.  Majordomo  allows appending to  any file owned  by the
    majordomo user/group.   To exploit this  create a symlink  in /tmp
    to any majordomo file:

        ln -s /usr/lib/majordomo/majordomo /tmp/majordomo.debug

    Send a message  with any emailer  to majordomo with  a "/" in  the
    return address (tested with Win Internet Mail):

        blah/1234@yourdomain.com

    The owner of majordomo will receive the below message... from then
    on, majordomo will be inoperable.  (if the above symlink is  used)
    Majordomo  keeps  a  debug  log  and  appends  to it every time it
    crashes  with  out  checking  ownerships  of the symlinks.. or for
    that matter for symlinks at all.

SOLUTION

    According to Steven  Pritchard, looking at  the latest version  of
    majordomo  (1.94.4),  it  seems  the  problem  isn't  that bad.  A
    well-configured majordomo is not vulnerable (by "well-configured",
    it meana where the admin has edited majordomo.cf to change $TMPDIR
    to something not world-writable.  If you haven't done that yet, do
    it now).  He did find  one case where majordomo doesn't honor  the
    $TMPFILE variable though.  Apply the following patch to fix it:

    --- majordomo.pl.orig   Wed Aug 27 09:58:53 1997
    +++ majordomo.pl        Thu Mar 26 18:42:29 1998
    @@ -324,7 +324,7 @@
     }

     # These are package globals referenced by &setlogfile and &log
    -$log_file = "/tmp/log.$$";
    +$log_file = "$main'TMPDIR/log.$$";
     $log_host = "UNKNOWN";
     $log_program = "UNKNOWN";
     $log_session = "UNKNOWN";