> Hahaha! Isn't that just like the thing - the owner of a 'full disclosure' > list resorts to security by obscurity when it's *his* machine that's > vulnerable. > Wish I hadn't wasted my money phoning the States to warn you about > it last night. Excuse me while I sign up with CERT's mailing list > again, they'll probably tell me more :-( Do whatever you like. Information about this hole was to be posted within HOURS of my post informing of the current problems. It is now available and has been posted. > G > (It *is* majordomo, isn't it? Since you now have it under an > obvious wrapper, I guess that means there's a way to pass it > command line options somehow in a mail address...?) Majordomo is always ran under a wrapper. And yes, the problem is with passing commands in a manipulated sendmail header (If you don't know by now). This script is being passed and actively used. I didn't bother posting the whole script since the description of what it manipulates is quite clear. --Scott ---CUT HERE-- # Majordomo Penetration Tool v1.0 # (c) 1994 Idefix # # A tool to open a port on machines running the majordomo mailserver. # I based this on the sendmail exploit code by Scott Chasin, I hacked it # a bit and did some brainstorming how to by-pass the filters and checks # of the majordomo script. # # The script makes use of the system() command in the majordomo maillist # server program. By supplying commands on the From: line these are executed # by the majordomo server. The majordomo server allows managing multiple # maillists. The best way to determine if a maillist is managed by majordomo # is to telnet to port 25 of the host and type EXPN <the-majordomo-user> # thus for example: # # EXPN majordomo # 250 "|/usr/local/majordomo/wrapper majordomo" # # Some lists are managed by a list specific request address of the form # maillist-request@host. Thus for example: # # EXPN maillist-request # 250 "|/usr/local/majordomo/wrapper request-answer maillist" # # The wrapper is run with the daemon uid or some special list uid. This # will also be the uid the shell on a port will be run under. The shell # can be accessed by telnetting to the the port. Because of the way # <return> is handled every command must be terminated by a ; the resulting # '... not found' can be ignored. # # When mailing to the regular majordomo server an entry is put in a Log # file. Also it is best to check the aliases file to see if there is an # archive that the messages are also going to. # # Options are the mailserver address, the port where the command will be # connected to, the command to be executed this should not contain any # '/' characters because the messages will be discarded with it, a return # address to check if the sendmail command is executed. # Usage: mpt <hostname> <target-port> <shell command> <return-address> # default: mpt firewalls-request@mycroft.greatcircle.com <7001> <sh> <>