-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Nico de Koo)                       Index  :    S-94-17
Distribution  : World                                       Page   :          1
Classification: External                                    Version:      Final
Subject       : Majordomo Vulnerabilities                   Date   :  10-Jun-94
===============================================================================

   CERT-NL received information on vulnerabilties in Majordomo.
   CERT-NL wishes to thank CERT/CC for providing this information.

=============================================================================

The CERT-NL has received reports of vulnerabilities in all
versions of Majordomo up to and including version 1.91. These vulnerabilities
enable intruders to gain access to the account that runs the Majordomo
software, even if the site has firewalls and TCP wrappers. 

CERT recommends that all sites running Majordomo replace their current version
with version 1.92 (see Section III for instructions).  It is possible to apply
a quick fix to versions prior to 1.92, but we strongly recommend obtaining
1.92 instead. 

As we receive additional information relating to this advisory, we
will place it, along with any clarifications, in a S-94-17.APPENDIX
file. CERT-NL advisories and their associated APPENDIX files are available
by anonymous FTP from ftp.nic.surfnet.nl. (See footer). We encourage you to 
check the APPENDIX files regularly for updates on advisories that relate 
to your site.

- -----------------------------------------------------------------------------

I.   Description

     Two vulnerabilities have recently been found in Majordomo. These
     vulnerabilities enable intruders to gain access to the account that 
     runs the Majordomo software, thus gaining the ability to execute 
     arbitrary commands. The vulnerabilities can be exploited without 
     a valid user name and password on the local machine, and firewalls 
     and TCP wrapper protection can be bypassed. CERT has received reports 
     that the vulnerabilities are currently being exploited. 

II.  Impact

     Intruders can install and execute programs as the user running the
     Majordomo software.

III. Solution

     A.  Recommended solution for all versions through 1.91

         Obtain and install Majordomo version 1.92, following the
         instructions in the README file included with 1.92.

         This new version is available by anonymous FTP from 
         FTP.GreatCircle.COM and is located in the directory
         /pub/majordomo as a compressed tar file, majordomo-1.92.tar.Z.

         Due to the fact that the bandwidth towards GreatCircle.COM 
         is limited poor performance might be expected in retrieving 
         the new version of Majordomo from GreatCircle.COM. For your 
         convenience, this file is also availble from the SURFnet InfoServer. 
         Please find below the URL:

         ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/patches/
                    misc/majordomo-1.92.tar.Z

                            BSD        SVR4
         File               Checksum   Checksum    MD5 Digital Signature
         -----------------  --------   --------- --------------------------------
      majordomo-1.92.tar.Z  55701 223  23408 446 17d9bb9fd4872ab09d01bfeb643b5ebb

     B.  Quick fix for versions 1.91 and earlier
         
         Until you are able to install the new version of Majordomo, you
         should install the following quick fix, which has two steps.
         If you are running Majordomo 1.90 and earlier, you must take both
         steps. If you are running version 1.91, you need only take the 
         first step. 

         Step 1 -  Disable new-list by either renaming the new-list program
                   or removing it from the aliases file. 

                   If you have version 1.90 and earlier, go on to Step 2.


         Step 2 -  In every place in the Majordomo code where there is a
                   string of any of these forms,
                                    
                   "|/usr/lib/sendmail -f<whatever> $to"       #majordmo.pl
                   "|/usr/lib/sendmail -f<whatever> $reply_to" #request-answer
                   "|/usr/lib/sendmail -f<whatever> \$to"      #majordomo.cf

                   Change that string to
   
                       "|/usr/lib/sendmail -f<whatever> -t"

                   Generally, you will find the strings in the request-answer
                   file, the majordomo.pl file, and your local majordomo.cf
                   file. 

         Note: If you are running a mailer other than sendmail, this step 
               may not fix the vulnerability. You should obtain and install
               version 1.92 as described in Section A above.


- ---------------------------------------------------------------------------

The CERT Coordination Center thanks Brent Chapman of Great Circle
Associates and John Rouillard of the University of Massachusetts at
Boston for their support in responding to the problem.

- ---------------------------------------------------------------------------

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WFjSYjBqwfc9jEQKM9gCgsxI3dsUMbpOfqgI7YFr8hh8Q/nwAn36k
+vIfLSDfcn63scDGkqZXJ0pw
=sD7p
-----END PGP SIGNATURE-----