CERT^® Advisory CA-1994-11 Majordomo Vulnerabilities

A complete revision history is at the end of this file.

The CERT Coordination Center has received reports of vulnerabilities in all versions of Majordomo up to and including version 1.91. These vulnerabilities enable intruders to gain access to the account that runs the Majordomo software, even if the site has firewalls and TCP wrappers.

We recommend that all sites running Majordomo replace their current version with version 1.92 (see Section III for instructions). It is possible to apply a quick fix to versions prior to 1.92, but we strongly recommend obtaining 1.92 instead.

We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.

I. Description

II. Impact

III. Solution

A. Recommended solution for all versions through 1.92

This version is available from

ftp://ftp.pgh.net/pub/majordomo/

ftp://ftp.greatcircle.com/pub/majordomo/

MD5 (majordomo-1.93.README) = 068bb343f23d3119cd196ed4222ab266
MD5 (majordomo-1.93.tar.Z) = c589a3c3d420d68e096eafdfdac0c8aa

B. Quick fix for versions 1.91 and earlier

Step 1 - Disable new-list by either renaming the new-list program or removing it from the aliases file.

If you have version 1.90 and earlier, go on to Step 2.

Step 2 - In every place in the Majordomo code where there is a string of any of these forms,

"|/usr/lib/sendmail -f<whatever> $to"      #majordomo.pl
"|/usr/lib/sendmail -f<whatever> $reply_to" #request-answer
"|/usr/lib/sendmail -f<whatever> $reply_to $list-approval" # new-list
"|/usr/lib/sendmail -f<whatever> \$to"      #majordomo.cf

"|/usr/lib/sendmail -f<whatever> -t

Note: If you are running a mailer other than sendmail, this step may not fix the vulnerability. You should obtain and install version 1.92 as described in Section A above.

The CERT Coordination Center thanks Brent Chapman of Great Circle Associates and John Rouillard of the University of Massachusetts at Boston for their support in responding to the problem.

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 1994, 1996 Carnegie Mellon University.

Sep. 23, 1997  Updated copyright statement
Aug. 30, 1996  Information previously in the README was inserted
               into the advisory. Changed URL format.
June 09, 1995  Sec. III.A - pointer to majordomo 1.93
June 1994      Sec. III.A - Added alternative FTP sites
               Sec. III.B - Revised step 2 of the workaround