[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] [Cobalt] Security Advisory - Majordomo

Subject: [cobalt-users] [Cobalt] Security Advisory - Majordomo
From: Jeff Lovell <jlovell@xxxxxxxxxxxxxxxxxx>
Date: Fri Jan 7 20:37:47 2000

Cobalt Networks -- Security Advisory -- 01.06.2000

Problem:
The currently installed version of majordomo that runs on all of
Cobalt's second and third generation products (Qube2, RaQ2, and
RaQ3) has a security issue that allows local users to obtain elevated
permissions.

Description:
There are two separate way to exploit this version of majordomo.
Majordomo's functions are performed through a wrapper program that
is installed setuid and setgid, and that wrapper calls all of the
packages functions.

#1  The resend function in vulnerable by passing the first command-line
    argument as a piped system command:

    '/usr/local/majordomo/wrapper resend "@|whoami"'

#2  By specifying an alternate configuration file that is Perl code,
    the user may execute arbitrary commands with an elevated status.

    sample config - foo.pl
    ----------------------
    #!/usr/bin/perl

    system("whoami");
    ----------------------

    '/usr/local/majordomo/wrapper majordomo -l foobar -C 'foo.pl'


Cobalt Networks is dedicated to providing secure platforms.
Accordingly, we have just completed a fix for this bug that is 
available in PKG format, which can be found at the following 
locations:

RaQ3i (x86)
ftp://ftp.cobaltnet.com/pub/experimental/security/majordomo/RaQ3-Security-1.5.pkg

RaQ2 (MIPS)
ftp://ftp.cobaltnet.com/pub/experimental/security/majordomo/RaQ2-Security-2.93.pkg

Qube2 (MIPS)
ftp://ftp.cobaltnet.com/pub/experimental/security/majordomo/Qube2-Security-2.7.pkg


MD5 sum                           Package Name
--------------------------------------------------------------------------
2f54c969e7f7f9603279dc6967837dd1  RaQ3-Security-1.5.pkg
b7102e8c153ea9e70aca97a6a90b7c2c  RaQ2-Security-2.93.pkg
e6a2b44bd18dbe9205db59a09b483e35  Qube2-Security-2.7.pkg

This package is currently in testing, and should only be
applied if the user feels their system is at risk.

Jeff Lovell
Software Engineer
Cobalt Networks
jlovell@xxxxxxxxxx

Follow-Ups:
- [cobalt-users] Memory problems with Webalizer pkg
  - From: Fathi Said

Prev by Date: RE: [cobalt-users] email scanning
Next by Date: [cobalt-users] alias: :include:/dir/dir/mail.list
Previous by thread: [cobalt-users] Manual Apache conf edits
Next by thread: [cobalt-users] Memory problems with Webalizer pkg

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index