[SECURITY-L] Majordomo info leakage, all versions

Silvana Mieko Misuta mieko em ccuec.unicamp.br
Qua Fev 5 12:02:56 -02 2003 

Subject: Majordomo info leakage, all versions
        Date: Tue, 04 Feb 2003 03:30:54 +0100
       From: Marco van Berkum <m.v.berkum em obit.nl>
 Organization: OBIT
         To: bugtraq em securityfocus.com

-------------------------------------------------------------------------------

Title                   : Majordomo info leakage (all versions)
Date                    : 03/02/2003
Article by              : Marco van Berkum (m.v.berkum em obit.nl)
Bug finder              : Jakub Klausa (jacke em bofh.pl)
Investigated by         : Jakub Klausa and Marco van Berkum
-------------------------------------------------------------------------------

Introduction:
--------------
Some while ago Jakub Klausa mailed me about a problem regarding the
Majordomo mailinglist program. At first we were not sure if it was a one

time problem or a common issue, so we checked several other servers
and installed Majordomo ourselves and found ALL Majordomo versions to
be vulnerable, also the latest Majordomo 2 (alpha).

The problem:
---------------
All email addresses can be extracted from mailinglists for which
'which_access' is set to "open" in the configuration file, which_access
is set to "open" by default !!

 Majordomo 1.94.5 documentation quote:

    "8.  By default, anyone (even non-subscribers) can use the commands
         "who", "which", "index", and "get" on a list.  If you create an

         empty file named "listname.private" in the $listdir directory,
only
         members of the list can use those commands."

Typical case of RTFDOC of course, but still, why isn't the private
configuration file the default one (?!), now people actually have to
read
the documentation to protect their lists against evil spammers. We all
know that admins do not always read the docs (uhuh).

So this bug can be exploited without being subscribed to any mailinglist

on that server when "which_access" is set to open. This bug can be
exploited
by sending:

   which @

   or

   which .

To the Majordomo daemon. Majordomo will then match "@" (or ".") on all
the
mailinglists that have 'which_access' set to "open". This then matches
all email addresses that are subscribed to that list.

There is a slight difference between the new Majordomo 2 (alpha) and the

current Majordomo 1.94.x branch.

Majordomo 1.94.x gives output such as this:

>>>> which @
The string '@' appears in the following
entries in lists served by majordomo em somedomain.com:

List                    Address
====                    =======
test-list               user em somedomain.com
test-list               anotheruser em anotherdomain.com
another-list            satan em evilmajordomodomain.net
another-list            bush em sopranos.org

etc...

Majordomo 2 also has the bug, not as much as the 1.94.x though:

>>>> which @
The pattern "/\@/i"
matched the following subscriptions.

Matches for the devils mailing list:
  satan em majordomo.org
-- Match limit of 1 for devils exceeded.

Matches for the britney mailing list:
  eminem em spears.net
-- Match limit of 1 for britney exceeded.

Impact:
-------
High. Not only privacy is the issue here, this bug could be used by evil

spammers to fill their databases. And the users did much of their work
for
them already, as the victims are usually well targeted (subject-specific

mailinglists come to mind).

Solution:
---------
general:
Read the documentation regarding $listname.private and set all
which_access
to "closed", or update to Majordomo 2 alpha, which still requires the
same attention.

Majordomo 1.94.5 and earlier:
As mentioned by the documentation that comes with Majordomo 1.94.5,
create an empty file named "$listname.private" in the $listdir.
It will only reduce the group of people being able to pick up all the
addresses
to the ones subscribed to the list. Check your current configurations
for
open which_access, close them.

Majordomo 2:
The authors responded quickly and changed default configuration settings

to be "closed". Get the latest CVS version, and check your current
configurations for open which_access, which_access should be closed at
any time.

Jakub made a patch for Majordomo 1.94.5.

[Patch]
This is a patch for Majordomo 1.94.5, which makes the Majordomo
ignore the 'which' request if they don't contain e-mail address-like
string as a parameter (roughly).


--- majordomo.orig      Mon Feb  3 13:23:45 2003
+++ majordomo   Mon Feb  3 13:23:23 2003
@@ -624,6 +624,11 @@

 sub do_which {
     local($subscriber) = join(" ", @_) || &valid_addr($reply_to);
+    if ($subscriber !~
/^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+\.[a-zA-Z]{2,3}$/) {
+
+       &log("which abuse -> $subscriber passed as an argument.");
+       exit(0);
+       };
     local($count, $per_list_hits) = 0;
     # Tell the requestor which lists they are on by reading through all

     # the lists, comparing their address to each address from each list



Cheers

Marco van Berkum / http://ws.obit.nl / m.v.berkum em obit.nl
Jakub Klausa / jacke em bofh.pl

--
find / -user your -name base -exec chown us:us {}\;
 ----------------------------------------
|    Marco van Berkum / MB17300-RIPE     |
| m.v.berkum em obit.nl / http://ws.obit.nl |
 ----------------------------------------

Mais detalhes sobre a lista de discussão SECURITY-L