Original issue date: June 9, 1994<BR>
Last revised: September 23, 1997<BR>
Updated copyright statement
<P>A complete revision history is at the end of this file.
<P>The CERT Coordination Center has received reports of vulnerabilities in all
versions of Majordomo up to and including version 1.91. These vulnerabilities
enable intruders to gain access to the account that runs the Majordomo
software, even if the site has firewalls and TCP wrappers.
<P>We recommend that all sites running Majordomo replace their current version
with version 1.92 (see Section III for instructions). It is possible to apply
a quick fix to versions prior to 1.92, but we strongly recommend obtaining
1.92 instead.
<P>We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
<P><HR>
<H2>I. Description</H2>
Two vulnerabilities have recently been found in Majordomo. These
vulnerabilities enable intruders to gain access to the account that
runs the Majordomo software, thus gaining the ability to execute
arbitrary commands. The vulnerabilities can be exploited without
a valid user name and password on the local machine, and firewalls
and TCP wrapper protection can be bypassed. The CERT/CC has received
reports that the vulnerabilities are currently being exploited.
<H2>II. Impact</H2>
Intruders can install and execute programs as the user running the
Majordomo software.
<H2>III. Solution</H2>
<H3>A. Recommended solution for all versions through 1.92</H3>
Obtain and install Majordomo version 1.93.
<P>This version is available from
<P>
<A HREF=ftp://ftp.pgh.net/pub/majordomo/>ftp://ftp.pgh.net/pub/majordomo/</A>
<P>
<A HREF=ftp://ftp.greatcircle.com/pub/majordomo/>ftp://ftp.greatcircle.com/pub/majordomo/</A>
<P>MD5 (majordomo-1.93.README) = 068bb343f23d3119cd196ed4222ab266<BR>
MD5 (majordomo-1.93.tar.Z) = c589a3c3d420d68e096eafdfdac0c8aa
<H3>B. Quick fix for versions 1.91 and earlier</H3>
Until you are able to install the new version of Majordomo, you
should install the following quick fix, which has two steps.
If you are running Majordomo 1.90 and earlier, you must take both
steps. If you are running version 1.91, you need only take the
first step.
<P>
<STRONG>Step 1</STRONG> - Disable new-list by either renaming the new-list program
or removing it from the aliases file.
<P>If you have version 1.90 and earlier, go on to Step 2.
<P>
<STRONG>Step 2</STRONG> - In every place in the Majordomo code where there is a
string of any of these forms,
<PRE>
"|/usr/lib/sendmail -f<whatever> $to" #majordomo.pl
"|/usr/lib/sendmail -f<whatever> $reply_to" #request-answer
"|/usr/lib/sendmail -f<whatever> $reply_to $list-approval" # new-list
"|/usr/lib/sendmail -f<whatever> \$to" #majordomo.cf
</PRE>
Change that string to
<PRE>
"|/usr/lib/sendmail -f<whatever> -t
</PRE>
Generally, you will find the strings in the request-answer
file, the majordomo.pl file, and your local majordomo.cf
file.
<P>Note: If you are running a mailer other than sendmail, this step
may not fix the vulnerability. You should obtain and install
version 1.92 as described in Section A above.
<P><HR>
<P>The CERT Coordination Center thanks Brent Chapman of Great Circle
Associates and John Rouillard of the University of Massachusetts at
Boston for their support in responding to the problem.
<P><HR>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1994, 1996 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Sep. 23, 1997 Updated copyright statement
Aug. 30, 1996 Information previously in the README was inserted
into the advisory. Changed URL format.
June 09, 1995 Sec. III.A - pointer to majordomo 1.93
June 1994 Sec. III.A - Added alternative FTP sites
Sec. III.B - Revised step 2 of the workaround
</PRE>
|