_____________________________________________________
                          The U.S. Department of Energy
                       Computer Incident Advisory Capability
                              ___  __ __    _     ___
                             /       |     /_\   /
                             \___  __|__  /   \  \___
               _____________________________________________________

                               INFORMATION BULLETIN

             Majordomo distribution list administrator vulnerabilities


June 15, 1994 1400 PDT                                             Number E-30
______________________________________________________________________________ 

PROBLEM:        Two vulnerabilities in Majordomo distribution list
                administrator.
PLATFORMS:      All unix systems using Majordomo versions 1.91 and earlier.
DAMAGE:         Remote users may gain access to the Majordomo account.
SOLUTION:       Upgrade to Majordomo 1.92 or apply quick fix described below.
______________________________________________________________________________

VULNERABILITY   This vulnerability is being discussed on public mailing lists
ASSESSMENT:     and is currently being exploited.  CIAC recommends that sites
                determine if they are using Majordomo for their distribution
                lists, and, if so, follow the steps described below.
______________________________________________________________________________

  Critical Information about the Majordomo distribution list administrator
                             vulnerabilities

CIAC has learned of two vulnerabilities in the Majordomo distribution list
administrator software. These allow intruders to gain remote access to the
Majordomo account and execute arbitrary commands. Exploitation does not
require a valid username/password combination and bypasses firewalls and
TCP wrappers. This vulnerability affects all versions of Majordomo up to
and including version 1.91. It does not affect users of Majordomo (i.e.,
subscribers), nor hosts using other distribution list managers. CIAC
recommends that sites determine if they are running Majordomo. If so,
upgrade to version 1.92. If the associated mailer is sendmail and upgrading
immediately is not possible, then, as an interim solution, follow the
instructions for the quick fix in 2 below.

1. Upgrading to Majordomo 1.92

   Obtain Majordomo 1.92 via anonymous ftp in the indicated directory on any
   one of the following servers:

   ftp.pgh.net:/pub/majordomo/majordomo-1.92.tar.Z
   ftp.cs.umb.edu:/pub/rouilj/majordomo-1.92.tar.Z
   FTP.GreatCircle.COM:/pub/majordomo/majordomo-1.92.tar.Z

   Follow the installation instructions in the included main README file. Note
   that the compressed file should have the following checksum and signature.

                           BSD        SVR4
   File                  Checksum   Checksum    MD5 Digital Signature
   ____________________  _________  _________ ________________________________
   majordomo-1.92.tar.Z  55701 223  23408 446 17d9bb9fd4872ab09d01bfeb643b5ebb

   If your copy computes differently, contact the ftp site or CIAC before
   proceeding.

2. Quick fix for versions 1.91 and earlier that use the sendmail mailer (this
   fix is not supported for other mailers). For version 1.91, perform the first
   step only. For version 1.90 and earlier, perform both steps.

   Versions 1.91 and earlier:

      Disable new-list by either renaming or removing it from the aliases file.

   Versions 1.90 and earlier:

      Find all occurrences of strings of any the following forms:

      "|/usr/lib/sendmail -f<whatever> $to"                      #majordomo.pl
      "|/usr/lib/sendmail -f<whatever> $reply_to"                #request-answer
      "|/usr/lib/sendmail -f<whatever> $reply_to $list-approval" # new-list
      "|/usr/lib/sendmail -f<whatever> \$to"                     #majordomo.cf

      Change all occurrences of that string to
   
      "|/usr/lib/sendmail -f<whatever> -t"
   
   You should find these strings in the request-answer, majordomo.pl, and your
   local majordomo.cf files.                                               
                                                                
______________________________________________________________________________

CIAC acknowledges the CERT Coordination Center and John Rouillard of the
University of Massachusetts at Boston for providing the information for
this bulletin.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information,
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
   SPI products.

CIAC's mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines.  To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber" when sending

E-mail to ciac-listproc@llnl.gov:
          subscribe list-name  LastName, FirstName PhoneNumber
    e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.