[Mailman-Users] Advisory: mailman local compromise (fwd)

Trevor Johnson trevor at jpj.net
Wed Aug 2 00:19:11 CEST 2000 

---------- Forwarded message ----------
Date: Tue, 1 Aug 2000 13:14:20 -0400
From: Stan Bubrouski <secnet at CROSSWINDS.NET>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: Advisory: mailman local compromise

Author                 : Stan Bubrouski
Date                    : August 1, 2000
Package              : mailman
Versions affected : 2.0beta3 (released: 2000-Jun-28 23:25)
                              2.0beta4 (released: 2000-Jul-06 21:27)
Severity               : access to group mailman binaries are installed as 
which (usually mailman).
                              Most directories in a mailman install are 
mode 2755 as are most of the
                              binaries and scripts.  Many configurations 
are 664 allowing a local user
                              to change list ocnfigurations and even read 
the adm.pw passwd file.
                              Additionally besides being able to read 
public and private data along with
                              passwds, a malicious user could replace 
binaries and scripts in a mailman
                              installation because they are writable by 
group mailman.
Problem              : The mailman package comes with a sgid program named 
wrapper.  This
                              program contains a function named fatal() 
which is used to display error
                              messages.  Unfortunately it fails to send the 
correct amount of arguments
                              to the fprintf(3) function allowing users to 
add formatting which could
                              be used to insert and execute code under 
group mailman.  fatal()
                              is called when invalid arguments are provided 
and in such a case, the invalid
                              arguments are sent to fprintf without being 
formatted, the same goes for argv[0].
Example:

[user at king user]$ ls -al /usr/share/mailman/mail/wrapper
-rwxr-sr-x    1 mailman  mailman     36290 Jul  1 06:48 
/usr/share/mailman/mail/wrapper
[user at king user]$ cd /usr/share/mailman/mail
[user at king mail]$ ls -al
total 39
drwxrwsr-x    2 mailman  mailman      1024 Jul 12 19:29 .
drwxrwsr-x   16 mailman  mailman      1024 Jul 27 20:13 ..
-rwxr-sr-x    1 mailman  mailman     36290 Jul  1 06:48 wrapper
[user at king mail]$ ./wrapper
Usage: ./wrapper program [args...]
[user at king mail]$ ./wrapper %s
Illegal command: Illegal command: %s[user at king mail]$ ./wrapper %s%s
Illegal command: Illegal command: %s%s•ýÿ¿œ=@„üÿ¿Xüÿ¿€>@[user at king 
mail]$ ./wrapper %s%s%s
Segmentation fault
[user at king mail]$ ./wrapper %s%u%p
Illegal command: Illegal command: %s%u%p32212244600x656c6c49[user at king mail]$
[user at king mail]$ doexec ./wrapper %s
Usage: Usage: %s program [args...]
  program [args...]
[user at king mail]$ doexec ./wrapper %s%s
Usage: Usage: %s%s program [args...]
“ýÿ¿œ=@„üÿ¿Xüÿ¿€>@ program [args...]
[user at king mail]$ doexec ./wrapper %s%p
Usage: Usage: %s%p program [args...]
0xbffffc0c program [args...]
[user at king mail]$ doexec ./wrapper %s%S%u
Usage: Usage: %s%S%u program [args...]
[user at king mail]$ doexec ./wrapper %s%s
Usage: Usage: %s%s program [args...]
“ýÿ¿œ=@„üÿ¿Xüÿ¿€>@ program [args...]
[user at king mail]$ doexec ./wrapper %s%s%s
Segmentation fault
[user at king mail]$

Patch:
diff -u -r ./cgi-wrapper.c.orig ./cgi-wrapper.c
--- ./cgi-wrapper.c.orig        Tue Mar 21 01:26:41 2000
+++ ./cgi-wrapper.c     Fri Jul 28 00:17:42 2000
@@ -53,7 +53,7 @@
         fake_argv[2] = script;

         status = run_script("driver", 3, fake_argv, env);
-       fatal(logident, status, "%s", strerror(errno));
+       fatal(logident, status, "%s\n", strerror(errno));
         return status;
  }

diff -u -r common.c.orig ./common.c
--- ./common.c.orig     Mon May 22 14:59:31 2000
+++ ./common.c  Thu Jul 27 23:58:12 2000
@@ -108,7 +108,7 @@
                 printf("</pre>\n");
         }
         else
-               fprintf(stderr, log_entry);
+               fprintf(stderr, "%s", log_entry);
  #endif /* HELPFUL */
         exit(exitcode);
  }
diff -u -r ./mail-wrapper.c.orig ./mail-wrapper.c
--- ./mail-wrapper.c.orig       Tue Mar 21 01:26:41 2000
+++ ./mail-wrapper.c    Fri Jul 28 00:16:34 2000
@@ -67,13 +67,13 @@

         if (!check_command(argv[1]))
                 fatal(logident, MAIL_ILLEGAL_COMMAND,
-                     "Illegal command: %s", argv[1]);
+                     "Illegal command: %s\n", argv[1]);

         check_caller(logident, parentgid);

         /* If we got here, everything must be OK */
         status = run_script(argv[1], argc, argv, env);
-       fatal(logident, status, "%s", strerror(errno));
+       fatal(logident, status, "%s\n", strerror(errno));
         return status;
  }

Patch info            : The patch fixes fatal() and also adds newlines to 
some fatal() calls because
                              fatal() does not tack them on and as you can 
see in the example above, the
                              lack of newlines in some calls make errors 
harder to read.  I made the patch
                              using the latest CVS tree but it should apply 
to beta3 and beta4 releases as well.

More information about the Mailman-Users mailing list