Advisory: mailman local compromise (fwd)

---------- Forwarded message ---------- Date: Tue, 1 Aug 2000 13:14:20 -0400 From: Stan Bubrouski <secnet@CROSSWINDS.NET> To: BUGTRAQ@SECURITYFOCUS.COM Subject: Advisory: mailman local compromise Author : Stan Bubrouski Date : August 1, 2000 Package : mailman Versions affected : 2.0beta3 (released: 2000-Jun-28 23:25) 2.0beta4 (released: 2000-Jul-06 21:27) Severity : access to group mailman binaries are installed as which (usually mailman). Most directories in a mailman install are mode 2755 as are most of the binaries and scripts. Many configurations are 664 allowing a local user to change list ocnfigurations and even read the adm.pw passwd file. Additionally besides being able to read public and private data along with passwds, a malicious user could replace binaries and scripts in a mailman installation because they are writable by group mailman. Problem : The mailman package comes with a sgid program named wrapper. This program contains a function named fatal() which is used to display error messages. Unfortunately it fails to send the correct amount of arguments to the fprintf(3) function allowing users to add formatting which could be used to insert and execute code under group mailman. fatal() is called when invalid arguments are provided and in such a case, the invalid arguments are sent to fprintf without being formatted, the same goes for argv[0]. Example: [user@king user]$ ls -al /usr/share/mailman/mail/wrapper -rwxr-sr-x 1 mailman mailman 36290 Jul 1 06:48 /usr/share/mailman/mail/wrapper [user@king user]$ cd /usr/share/mailman/mail [user@king mail]$ ls -al total 39 drwxrwsr-x 2 mailman mailman 1024 Jul 12 19:29 . drwxrwsr-x 16 mailman mailman 1024 Jul 27 20:13 .. -rwxr-sr-x 1 mailman mailman 36290 Jul 1 06:48 wrapper [user@king mail]$ ./wrapper Usage: ./wrapper program [args...] [user@king mail]$ ./wrapper %s Illegal command: Illegal command: %s[user@king mail]$ ./wrapper %s%s Illegal command: Illegal command: %s%s�����=@����X����>@[user@king mail]$ ./wrapper %s%s%s Segmentation fault [user@king mail]$ ./wrapper %s%u%p Illegal command: Illegal command: %s%u%p32212244600x656c6c49[user@king mail]$ [user@king mail]$ doexec ./wrapper %s Usage: Usage: %s program [args...] program [args...] [user@king mail]$ doexec ./wrapper %s%s Usage: Usage: %s%s program [args...] �����=@����X����>@ program [args...] [user@king mail]$ doexec ./wrapper %s%p Usage: Usage: %s%p program [args...] 0xbffffc0c program [args...] [user@king mail]$ doexec ./wrapper %s%S%u Usage: Usage: %s%S%u program [args...] [user@king mail]$ doexec ./wrapper %s%s Usage: Usage: %s%s program [args...] �����=@����X����>@ program [args...] [user@king mail]$ doexec ./wrapper %s%s%s Segmentation fault [user@king mail]$ Patch: diff -u -r ./cgi-wrapper.c.orig ./cgi-wrapper.c --- ./cgi-wrapper.c.orig Tue Mar 21 01:26:41 2000 +++ ./cgi-wrapper.c Fri Jul 28 00:17:42 2000 @@ -53,7 +53,7 @@ fake_argv[2] = script; status = run_script("driver", 3, fake_argv, env); - fatal(logident, status, "%s", strerror(errno)); + fatal(logident, status, "%s\n", strerror(errno)); return status; } diff -u -r common.c.orig ./common.c --- ./common.c.orig Mon May 22 14:59:31 2000 +++ ./common.c Thu Jul 27 23:58:12 2000 @@ -108,7 +108,7 @@ printf("</pre>\n"); } else - fprintf(stderr, log_entry); + fprintf(stderr, "%s", log_entry); #endif /* HELPFUL */ exit(exitcode); } diff -u -r ./mail-wrapper.c.orig ./mail-wrapper.c --- ./mail-wrapper.c.orig Tue Mar 21 01:26:41 2000 +++ ./mail-wrapper.c Fri Jul 28 00:16:34 2000 @@ -67,13 +67,13 @@ if (!check_command(argv[1])) fatal(logident, MAIL_ILLEGAL_COMMAND, - "Illegal command: %s", argv[1]); + "Illegal command: %s\n", argv[1]); check_caller(logident, parentgid); /* If we got here, everything must be OK */ status = run_script(argv[1], argc, argv, env); - fatal(logident, status, "%s", strerror(errno)); + fatal(logident, status, "%s\n", strerror(errno)); return status; } Patch info : The patch fixes fatal() and also adds newlines to some fatal() calls because fatal() does not tack them on and as you can see in the example above, the lack of newlines in some calls make errors harder to read. I made the patch using the latest CVS tree but it should apply to beta3 and beta4 releases as well.
participants (1)
-
Trevor Johnson