Versi baru mailman sudah ada. Silakan dicek apakah masih vulnerable
seperti dikatakan mail di bawah ini.
Ronny
----- Forwarded message from Stan Bubrouski <[EMAIL PROTECTED]> -----
> From: Stan Bubrouski <[EMAIL PROTECTED]>
> Reply-To: Stan Bubrouski <[EMAIL PROTECTED]>
> X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
> Date: Tue, 1 Aug 2000 13:14:20 -0400
> To: [EMAIL PROTECTED]
> Subject: Advisory: mailman local compromise
>
> Author : Stan Bubrouski
> Date : August 1, 2000
> Package : mailman
> Versions affected : 2.0beta3 (released: 2000-Jun-28 23:25)
> 2.0beta4 (released: 2000-Jul-06 21:27)
> Severity : access to group mailman binaries are installed as
> which (usually mailman).
> Most directories in a mailman install are
> mode 2755 as are most of the
> binaries and scripts. Many configurations
> are 664 allowing a local user
> to change list ocnfigurations and even read
> the adm.pw passwd file.
> Additionally besides being able to read
> public and private data along with
> passwds, a malicious user could replace
> binaries and scripts in a mailman
> installation because they are writable by
> group mailman.
> Problem : The mailman package comes with a sgid program named
> wrapper. This
> program contains a function named fatal()
> which is used to display error
> messages. Unfortunately it fails to send the
> correct amount of arguments
> to the fprintf(3) function allowing users to
> add formatting which could
> be used to insert and execute code under
> group mailman. fatal()
> is called when invalid arguments are provided
> and in such a case, the invalid
> arguments are sent to fprintf without being
> formatted, the same goes for argv[0].
> Example:
>
> [user@king user]$ ls -al /usr/share/mailman/mail/wrapper
> -rwxr-sr-x 1 mailman mailman 36290 Jul 1 06:48
> /usr/share/mailman/mail/wrapper
> [user@king user]$ cd /usr/share/mailman/mail
> [user@king mail]$ ls -al
> total 39
> drwxrwsr-x 2 mailman mailman 1024 Jul 12 19:29 .
> drwxrwsr-x 16 mailman mailman 1024 Jul 27 20:13 ..
> -rwxr-sr-x 1 mailman mailman 36290 Jul 1 06:48 wrapper
> [user@king mail]$ ./wrapper
> Usage: ./wrapper program [args...]
> [user@king mail]$ ./wrapper %s
> Illegal command: Illegal command: %s[user@king mail]$ ./wrapper %s%s
> Illegal command: Illegal command: %s%s�����=�@����X����>�@�[user@king
> mail]$ ./wrapper %s%s%s
> Segmentation fault
> [user@king mail]$ ./wrapper %s%u%p
> Illegal command: Illegal command: %s%u%p32212244600x656c6c49[user@king mail]$
> [user@king mail]$ doexec ./wrapper %s
> Usage: Usage: %s program [args...]
> program [args...]
> [user@king mail]$ doexec ./wrapper %s%s
> Usage: Usage: %s%s program [args...]
> �����=�@����X����>�@� program [args...]
> [user@king mail]$ doexec ./wrapper %s%p
> Usage: Usage: %s%p program [args...]
> 0xbffffc0c program [args...]
> [user@king mail]$ doexec ./wrapper %s%S%u
> Usage: Usage: %s%S%u program [args...]
> [user@king mail]$ doexec ./wrapper %s%s
> Usage: Usage: %s%s program [args...]
> �����=�@����X����>�@� program [args...]
> [user@king mail]$ doexec ./wrapper %s%s%s
> Segmentation fault
> [user@king mail]$
>
> Patch:
> diff -u -r ./cgi-wrapper.c.orig ./cgi-wrapper.c
> --- ./cgi-wrapper.c.orig Tue Mar 21 01:26:41 2000
> +++ ./cgi-wrapper.c Fri Jul 28 00:17:42 2000
> @@ -53,7 +53,7 @@
> fake_argv[2] = script;
>
> status = run_script("driver", 3, fake_argv, env);
> - fatal(logident, status, "%s", strerror(errno));
> + fatal(logident, status, "%s\n", strerror(errno));
> return status;
> }
>
> diff -u -r common.c.orig ./common.c
> --- ./common.c.orig Mon May 22 14:59:31 2000
> +++ ./common.c Thu Jul 27 23:58:12 2000
> @@ -108,7 +108,7 @@
> printf("</pre>\n");
> }
> else
> - fprintf(stderr, log_entry);
> + fprintf(stderr, "%s", log_entry);
> #endif /* HELPFUL */
> exit(exitcode);
> }
> diff -u -r ./mail-wrapper.c.orig ./mail-wrapper.c
> --- ./mail-wrapper.c.orig Tue Mar 21 01:26:41 2000
> +++ ./mail-wrapper.c Fri Jul 28 00:16:34 2000
> @@ -67,13 +67,13 @@
>
> if (!check_command(argv[1]))
> fatal(logident, MAIL_ILLEGAL_COMMAND,
> - "Illegal command: %s", argv[1]);
> + "Illegal command: %s\n", argv[1]);
>
> check_caller(logident, parentgid);
>
> /* If we got here, everything must be OK */
> status = run_script(argv[1], argc, argv, env);
> - fatal(logident, status, "%s", strerror(errno));
> + fatal(logident, status, "%s\n", strerror(errno));
> return status;
> }
>
> Patch info : The patch fixes fatal() and also adds newlines to
> some fatal() calls because
> fatal() does not tack them on and as you can
> see in the example above, the
> lack of newlines in some calls make errors
> harder to read. I made the patch
> using the latest CVS tree but it should apply
> to beta3 and beta4 releases as well.
>
>
----- End forwarded message -----
--------------------------------------------------------------------------
Utk berhenti langganan, kirim email ke [EMAIL PROTECTED]
Informasi arsip di http://www.linux.or.id/milis.php3
Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
