home *** CD-ROM | disk | FTP | other *** search
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- =============================================================================
- CERT(sm) Advisory CA-94:11
- Original issue date: June 9, 1994
- Last revised: August 30, 1996
- Information previously in the README was inserted
- into the advisory. Changed URL format.
-
- A complete revision history is at the end of this file.
-
- Topic: Majordomo Vulnerabilities
- - -----------------------------------------------------------------------------
-
- The CERT Coordination Center has received reports of vulnerabilities in all
- versions of Majordomo up to and including version 1.91. These vulnerabilities
- enable intruders to gain access to the account that runs the Majordomo
- software, even if the site has firewalls and TCP wrappers.
-
- We recommend that all sites running Majordomo replace their current version
- with version 1.92 (see Section III for instructions). It is possible to apply
- a quick fix to versions prior to 1.92, but we strongly recommend obtaining
- 1.92 instead.
-
- We will update this advisory as we receive additional information.
- Please check advisory files regularly for updates that relate to your site.
-
- - -----------------------------------------------------------------------------
-
- I. Description
-
- Two vulnerabilities have recently been found in Majordomo. These
- vulnerabilities enable intruders to gain access to the account that
- runs the Majordomo software, thus gaining the ability to execute
- arbitrary commands. The vulnerabilities can be exploited without
- a valid user name and password on the local machine, and firewalls
- and TCP wrapper protection can be bypassed. The CERT/CC has received
- reports that the vulnerabilities are currently being exploited.
-
- II. Impact
-
- Intruders can install and execute programs as the user running the
- Majordomo software.
-
- III. Solution
-
- A. Recommended solution for all versions through 1.92
-
- Obtain and install Majordomo version 1.93.
-
- This version is available from
-
- ftp://ftp.pgh.net/pub/majordomo/
- ftp://ftp.greatcircle.com/pub/majordomo/
-
- MD5 (majordomo-1.93.README) = 068bb343f23d3119cd196ed4222ab266
- MD5 (majordomo-1.93.tar.Z) = c589a3c3d420d68e096eafdfdac0c8aa
-
-
- B. Quick fix for versions 1.91 and earlier
-
- Until you are able to install the new version of Majordomo, you
- should install the following quick fix, which has two steps.
- If you are running Majordomo 1.90 and earlier, you must take both
- steps. If you are running version 1.91, you need only take the
- first step.
-
- Step 1 - Disable new-list by either renaming the new-list program
- or removing it from the aliases file.
-
- If you have version 1.90 and earlier, go on to Step 2.
-
-
- Step 2 - In every place in the Majordomo code where there is a
- string of any of these forms,
-
- "|/usr/lib/sendmail -f<whatever> $to" #majordomo.pl
- "|/usr/lib/sendmail -f<whatever> $reply_to" #request-answer
- "|/usr/lib/sendmail -f<whatever> $reply_to $list-approval" # new-list
- "|/usr/lib/sendmail -f<whatever> \$to" #majordomo.cf
-
- Change that string to
-
- "|/usr/lib/sendmail -f<whatever> -t"
-
- Generally, you will find the strings in the request-answer
- file, the majordomo.pl file, and your local majordomo.cf
- file.
-
-
- Note: If you are running a mailer other than sendmail, this step
- may not fix the vulnerability. You should obtain and install
- version 1.92 as described in Section A above.
-
- - ---------------------------------------------------------------------------
- The CERT Coordination Center thanks Brent Chapman of Great Circle
- Associates and John Rouillard of the University of Massachusetts at
- Boston for their support in responding to the problem.
- - ---------------------------------------------------------------------------
-
- If you believe that your system has been compromised, contact the CERT
- Coordination Center or your representative in Forum of Incident
- Response and Security Teams (FIRST).
-
- If you wish to send sensitive incident or vulnerability information to
- CERT via electronic mail, CERT strongly advises that the e-mail be
- encrypted. CERT can support a shared DES key, PGP (public key
- available via anonymous FTP on info.cert.org), or PEM (contact CERT
- for details).
-
- Internet E-mail: cert@cert.org
- Telephone: 412-268-7090 (24-hour hotline)
- CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
- and are on call for emergencies during other hours.
-
- CERT Coordination Center
- Software Engineering Institute
- Carnegie Mellon University
- Pittsburgh, PA 15213-3890
- USA
-
- Past advisories, information about FIRST representatives, and other
- information related to computer security are available for anonymous
- FTP from info.cert.org.
-
- Copyright 1994, 1995, 1996 Carnegie Mellon University
- This material may be reproduced and distributed without permission provided
- it is used for noncommercial purposes and the copyright statement is
- included.
-
- CERT is a service mark of Carnegie Mellon University.
-
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Revision history
-
- Aug. 30, 1996 Information previously in the README was inserted
- into the advisory. Changed URL format.
-
- June 09, 1995 Sec. III.A - pointer to majordomo 1.93
-
- June 1994 Sec. III.A - Added alternative FTP sites
- Sec. III.B - Revised step 2 of the workaround
-
-
- -----BEGIN PGP SIGNATURE-----
- Version: 2.6.2
-
- iQCVAwUBMiSoPnVP+x0t4w7BAQF2YwQAi0rNF/MEQ6JuuIHjqbxNDKfXvW3kl+y8
- yGZif/VbsUJRs7EOYQAkjgr5+t2oRzt3Y4NgSt2xtxzq5TJiDOZxxevTPLVATZ7d
- 4lIPmhBl7Cuh6NtOeIyv4UtQghzl+lqjXBhTPCoTObWRjx17xba04QLUZd0g6CXf
- 0E5dlPKOyMg=
- =+2Bq
- -----END PGP SIGNATURE-----
-
-
