INFORMATION BULLETIN

E-30: Majordomo distribution list administrator vulnerabilities

June 15, 1994 1400 PDT


PROBLEM:    Two vulnerabilities in Majordomo distribution list
            administrator.
PLATFORMS:  All unix systems using Majordomo versions 1.91 and earlier.
DAMAGE:     Remote users may gain access to the Majordomo account.
SOLUTION:   Upgrade to Majordomo 1.92 or apply quick fix described below.

VULNERABILITY  This vulnerability is being discussed on public mailing
ASSESSMENT:    lists and is currently being exploited.  CIAC recommends
               that sites determine if they are using Majordomo for their
               distribution lists, and, if so, follow the steps described
               below.

Critical Information about the Majordomo distribution list administrator vulnerabilities

CIAC has learned of two vulnerabilities in the Majordomo distribution list administrator software. These allow intruders to gain remote access to the Majordomo account and execute arbitrary commands. Exploitation does not require a valid username/password combination and bypasses firewalls and TCP wrappers. This vulnerability affects all versions of Majordomo up to and including version 1.91. It does not affect users of Majordomo (i.e., subscribers), nor hosts using other distribution list managers. CIAC recommends that sites determine if they are running Majordomo. If so, upgrade to version 1.92. If the associated mailer is sendmail and upgrading immediately is not possible, then, as an interim solution, follow the instructions for the quick fix in 2 below.

Upgrading to Majordomo 1.92
Obtain Majordomo 1.92 via anonymous ftp in the indicated directory on any one of the following servers:
ftp.pgh.net:/pub/majordomo/majordomo-1.92.tar.Z ftp.cs.umb.edu:/pub/rouilj/majordomo-1.92.tar.Z FTP.GreatCircle.COM:/pub/majordomo/majordomo-1.92.tar.Z
Follow the installation instructions in the included main README file. Note that the compressed file should have the following checksum and signature.
```
                        BSD        SVR4
File                  Checksum   Checksum    MD5 Digital Signature
--------------------  ---------  --------- --------------------------------
majordomo-1.92.tar.Z  55701 223  23408 446 17d9bb9fd4872ab09d01bfeb643b5ebb
```
If your copy computes differently, contact the ftp site or CIAC before proceeding.

Quick fix for versions 1.91 and earlier that use the sendmail mailer (this fix is not supported for other mailers). For version 1.91, perform the first step only. For version 1.90 and earlier, perform both steps.
- Versions 1.91 and earlier:
  Disable new-list by either renaming or removing it from the aliases file.
- Versions 1.90 and earlier:
  Find all occurrences of strings of any the following forms:
```
"|/usr/lib/sendmail -f $to"                      #majordomo.pl
"|/usr/lib/sendmail -f $reply_to"                #request-answer
"|/usr/lib/sendmail -f $reply_to $list-approval" # new-list
"|/usr/lib/sendmail -f \$to"                     #majordomo.cf
```
  Change all occurrences of that string to
```
"|/usr/lib/sendmail -f -t" 
```
  You should find these strings in the request-answer, majordomo.pl, and your local majordomo.cf files.

CIAC acknowledges the CERT Coordination Center and John Rouillard of the University of Massachusetts at Boston for providing the information for this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]