============================================================================= SA-94.03a SERT Advisory 10-June-1994 Security vulnerabilities in majordomo (revised) ----------------------------------------------------------------------------- ** Note: This Updated Advisory contains new information. Version 1.91 has now been replaced with version 1.92. The Security Emergency Response Team has received information that all versions of majordomo up to version 1.91 contain vulnerabilities which allow user specified commands to be executed as the user which is running the majordomo software. 1. Description Several vulnerabilities exist in all versions of majordomo up to and including 1.91 which allow arbitrary commands to be be executed as the user which is running majordomo. A valid username and password on the local machine is not required to successfully exploit this vulnerability. The vulnerabilities may be used to mail in a program, compile it, and then execute it. These types of programs may be used to bypass firewall and TCP Wrapper protections. These vulnerabilities are currently being exploited. 2. Impact Unauthorised users may gain access to the account that runs the majordomo software. This may be achieved despite the presence of firewalls and TCP wrappers. 3. Solutions 3.1 Version 1.92 of majordomo has been modified to fix these vulnerabilities. It can be retrieved from ftp.sert.edu.au:/pub/majordomo. There are installation instructions in the majordomo-1.92.README file. 3.2 For earlier versions of majordomo, it is possible to implement a quick change to the configuration to remove this vulnerability. It is still recommended that you upgrade to the latest version of majordomo as soon as possible. If you are using a mailer other than sendmail this quick fix may not work. In this case, you should install majordomo version 1.92. Every place in the majordomo code (generally, this will be in the "request-answer" file, the "majordomo.pl" file, and your local majordomo.cf file) where there is a string of the form "|/usr/lib/sendmail -f $to" # majordomo.pl "|/usr/lib/sendmail -f $reply_to" # request-answer "|/usr/lib/sendmail -f $reply_to $list-approval" # new-list "|/usr/lib/sendmail -f \$to" # majordomo.cf change them to "|/usr/lib/sendmail -f -t" 4. new-list vulnerability. Version 1.91 of majordomo contains a vulnerability in the new-list program. If you are runnig this version, you should disable new-list by either: (i) renaming the new-list program; (ii) removing it from the aliases file. ---------------------------------------------------------------------------- The SERT team wishes to thank John Rouillard of the University of Massachusetts at Boston for his advice in this matter. ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact SERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: sert@sert.edu.au Facsimile: (07) 365 4477 SERT Hotline: (07) 365 4417 SERT personnel answer during business hours (AEST - GMT+10:00). (On call after hours for emergencies). Security Emergency Response Team c/- Prentice Centre The University of Queensland Qld. 4072. Australia.