=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL (Nico de Koo) Index : S-94-17 Distribution : World Page : 1 Classification: External Version: Final Subject : Majordomo Vulnerabilities Date : 10-Jun-94 =============================================================================== CERT-NL received information on vulnerabilties in Majordomo. CERT-NL wishes to thank CERT/CC for providing this information. ============================================================================= The CERT-NL has received reports of vulnerabilities in all versions of Majordomo up to and including version 1.91. These vulnerabilities enable intruders to gain access to the account that runs the Majordomo software, even if the site has firewalls and TCP wrappers. CERT recommends that all sites running Majordomo replace their current version with version 1.92 (see Section III for instructions). It is possible to apply a quick fix to versions prior to 1.92, but we strongly recommend obtaining 1.92 instead. As we receive additional information relating to this advisory, we will place it, along with any clarifications, in a S-94-17.APPENDIX file. CERT-NL advisories and their associated APPENDIX files are available by anonymous FTP from ftp.nic.surfnet.nl. (See footer). We encourage you to check the APPENDIX files regularly for updates on advisories that relate to your site. ----------------------------------------------------------------------------- I. Description Two vulnerabilities have recently been found in Majordomo. These vulnerabilities enable intruders to gain access to the account that runs the Majordomo software, thus gaining the ability to execute arbitrary commands. The vulnerabilities can be exploited without a valid user name and password on the local machine, and firewalls and TCP wrapper protection can be bypassed. CERT has received reports that the vulnerabilities are currently being exploited. II. Impact Intruders can install and execute programs as the user running the Majordomo software. III. Solution A. Recommended solution for all versions through 1.91 Obtain and install Majordomo version 1.92, following the instructions in the README file included with 1.92. This new version is available by anonymous FTP from FTP.GreatCircle.COM and is located in the directory /pub/majordomo as a compressed tar file, majordomo-1.92.tar.Z. Due to the fact that the bandwidth towards GreatCircle.COM is limited poor performance might be expected in retrieving the new version of Majordomo from GreatCircle.COM. For your convenience, this file is also availble from the SURFnet InfoServer. Please find below the URL: ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/patches/ misc/majordomo-1.92.tar.Z BSD SVR4 File Checksum Checksum MD5 Digital Signature ----------------- -------- --------- -------------------------------- majordomo-1.92.tar.Z 55701 223 23408 446 17d9bb9fd4872ab09d01bfeb643b5ebb B. Quick fix for versions 1.91 and earlier Until you are able to install the new version of Majordomo, you should install the following quick fix, which has two steps. If you are running Majordomo 1.90 and earlier, you must take both steps. If you are running version 1.91, you need only take the first step. Step 1 - Disable new-list by either renaming the new-list program or removing it from the aliases file. If you have version 1.90 and earlier, go on to Step 2. Step 2 - In every place in the Majordomo code where there is a string of any of these forms, "|/usr/lib/sendmail -f $to" #majordmo.pl "|/usr/lib/sendmail -f $reply_to" #request-answer "|/usr/lib/sendmail -f \$to" #majordomo.cf Change that string to "|/usr/lib/sendmail -f -t" Generally, you will find the strings in the request-answer file, the majordomo.pl file, and your local majordomo.cf file. Note: If you are running a mailer other than sendmail, this step may not fix the vulnerability. You should obtain and install version 1.92 as described in Section A above. --------------------------------------------------------------------------- The CERT Coordination Center thanks Brent Chapman of Great Circle Associates and John Rouillard of the University of Massachusetts at Boston for their support in responding to the problem. --------------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "surfnet/net-security/cert-nl/docs/bulletin". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are one (when DST is in effect two) hour(s) ahead of Universal Time Coordinated (i.e. UTC+0100 (UTC+0200)). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ==============================================================================