94-03a
81da501b5c86e17f8db57a45f0dd97b60729c2a1fc0d7a548122bcc309a8a9a1
=============================================================================
SA-94.03a SERT Advisory
10-June-1994
Security vulnerabilities in majordomo (revised)
-----------------------------------------------------------------------------
** Note: This Updated Advisory contains new information. Version 1.91 has
now been replaced with version 1.92.
The Security Emergency Response Team has received information that all
versions of majordomo up to version 1.91 contain vulnerabilities which
allow user specified commands to be executed as the user which is running
the majordomo software.
1. Description
Several vulnerabilities exist in all versions of majordomo up to and
including 1.91 which allow arbitrary commands to be be executed as the
user which is running majordomo.
A valid username and password on the local machine is not required to
successfully exploit this vulnerability.
The vulnerabilities may be used to mail in a program, compile it, and
then execute it. These types of programs may be used to bypass
firewall and TCP Wrapper protections.
These vulnerabilities are currently being exploited.
2. Impact
Unauthorised users may gain access to the account that runs the
majordomo software. This may be achieved despite the presence of
firewalls and TCP wrappers.
3. Solutions
3.1 Version 1.92 of majordomo has been modified to fix these
vulnerabilities. It can be retrieved from
ftp.sert.edu.au:/pub/majordomo. There are installation instructions in
the majordomo-1.92.README file.
3.2 For earlier versions of majordomo, it is possible to implement
a quick change to the configuration to remove this vulnerability. It
is still recommended that you upgrade to the latest version of
majordomo as soon as possible.
If you are using a mailer other than sendmail this quick fix may not
work. In this case, you should install majordomo version 1.92.
Every place in the majordomo code (generally, this will be in the
"request-answer" file, the "majordomo.pl" file, and your local
majordomo.cf file) where there is a string of the form
"|/usr/lib/sendmail -f<whatever> $to" # majordomo.pl
"|/usr/lib/sendmail -f<whatever> $reply_to" # request-answer
"|/usr/lib/sendmail -f<whatever> $reply_to $list-approval" # new-list
"|/usr/lib/sendmail -f<whatever> \$to" # majordomo.cf
change them to
"|/usr/lib/sendmail -f<whatever> -t"
4. new-list vulnerability.
Version 1.91 of majordomo contains a vulnerability in the new-list
program. If you are runnig this version, you should disable new-list
by either:
(i) renaming the new-list program;
(ii) removing it from the aliases file.
----------------------------------------------------------------------------
The SERT team wishes to thank John Rouillard of the University of
Massachusetts at Boston for his advice in this matter.
----------------------------------------------------------------------------
If you believe that your system has been compromised, contact SERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: sert@sert.edu.au
Facsimile: (07) 365 4477
SERT Hotline: (07) 365 4417
SERT personnel answer during business hours (AEST - GMT+10:00).
(On call after hours for emergencies).
Security Emergency Response Team
c/- Prentice Centre
The University of Queensland
Qld. 4072.
Australia.