symlink problem in mj_key_cache program

Summary
Description:This perl prog, which is part of MajorCool, which is apparently related to the Majordomo listserver software, has a standard symlink problem.
Author:Benjamin J Stassart <dszd0g@DASB.FHDA.EDU>
Compromise:corrupt files writeable by the user/group mj_key_cache runs as (usually through cron). This user is usually majordom.
Vulnerable Systems:Anything running MajorCool 1.0.3 or below with mj_key_cache cron'd
Date:18 June 1997
Details


Date: Wed, 18 Jun 1997 04:22:52 -0700
From: Benjamin J Stassart <dszd0g@DASB.FHDA.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Security hole in MajorCool 1.0.3

X-Premail-Auth: Key matching expected Key ID E152827D not found

-----BEGIN PGP SIGNED MESSAGE-----


Brief Description
- -----------------
The mj_key_cache program that comes with MajorCool
1.0.3 and earlier writes to /tmp/cache without proper checking.


Impact
- ------
Systems running MajorCool 1.0.3 and below with the mj_key_cache
program cron'd as necessary for most operation are vulnerable.  This
vulnerability allows any user on the local system to corrupt any file
writable by the user and group mj_key_cache runs as.  This is usually
majordom/majordom although is set at installation.


Fix
- ---
Patch the mj_key_cache program using the diff written by a fellow system
administrator, Ash <ash@dasb.fhda.edu>, at the bottom of this message or
upgrade to the next release of MajorCool when it becomes available.  We
have been in contact with Mr. Houle and he said he that will incorporate
Ash's changes in the next release of MajorCool.


Full Description
- ----------------

mj_key_cache is a cron job for MajorCool that stores list information in
~majordom/lists/.majorcool_cache to be used by the majordomo cgi
perl script.

The following line from mj_key_cache is where the vulnerability is:

open(TMP, ">/tmp/cache") || &squawk("Could not open cache");

This can be exploited by creating a symbolic link from /tmp/cache to the
file that is to be corrupted.

Ash rewrote mj_key_cache to avoid using a temp file altogether.


mj_key_cache diff rewritten by ash@dasb.fhda.edu
- -------------------------------------------
*** mj_key_cache        Fri May 30 17:21:48 1997
- --- mj_key_cache.orig Tue May 27 20:14:45 1997
***************
*** 71,77 ****
  @lists = readdir(RD_DIR);
  closedir(RD_DIR);

! open(CACHE, "> $cache") || &squawk("Could not open cache");
  foreach (sort @lists) {
        local($list) = $_;
        $list =~ s,^.*/,,;                      # strip off leading path
- --- 71,77 ----
  @lists = readdir(RD_DIR);
  closedir(RD_DIR);

! open(TMP, ">/tmp/cache") || &squawk("Could not open cache");
  foreach (sort @lists) {
        local($list) = $_;
        $list =~ s,^.*/,,;                      # strip off leading path
***************
*** 84,101 ****
        local($policy) = $config_opts{$list,'subscribe_policy'};
        local($advertise) = $config_opts{$list,'advertise'};
        local($noadvertise) = $config_opts{$list,'noadvertise'};
!       push @TMP, "$list#$owner#$policy#$desc#$advertise#$noadvertise\n";
  }
! print CACHE @TMP;
! close(CACHE);

! #if ( -s "/tmp/cache" ) {
! #     system("cp /tmp/cache $cache; rm /tmp/cache");
        printf STDERR "$main'program_name: cache complete\n" if $verbose;
! #}
! #else {
! #     &squawk("Key cache file empty: /tmp/cache");
! #}

  # free_lock is only 1.94
  &free_lock("$listdir/.cache.LOCK") if defined(&free_lock);
- --- 84,100 ----
        local($policy) = $config_opts{$list,'subscribe_policy'};
        local($advertise) = $config_opts{$list,'advertise'};
        local($noadvertise) = $config_opts{$list,'noadvertise'};
!       print TMP "$list#$owner#$policy#$desc#$advertise#$noadvertise\n";
  }
! close(TMP);

! if ( -s "/tmp/cache" ) {
!       system("cp /tmp/cache $cache; rm /tmp/cache");
        printf STDERR "$main'program_name: cache complete\n" if $verbose;
! }
! else {
!       &squawk("Key cache file empty: /tmp/cache");
! }

  # free_lock is only 1.94
  &free_lock("$listdir/.cache.LOCK") if defined(&free_lock);
- -------------------------------------------------------------------
end of mj_key_cache diff

Benjamin J. Stassart
- ------------------------------------------------+
 A great many people think they are thinking    |
 when they are merely rearranging their         |
 prejudices                                     |

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBM6fFD5ePz5nhUoJ9AQGBoQP/ZYYhsaxNfj3iFfMGoRyp2nGGa7hRpz3z
xcphSnFed75DRxctnZHNJYaQeKqzFZXIP0MmxGI5WpZw+E1dByX2JSATcRloLt0x
pseA1a8bDkIMCQt/eZ/3zs+dlmm1fmAeh94nheETIUwEUvMvv/2Zy/gSvWyBSbgL
vRS4JGUVGgU=
=F3sK
-----END PGP SIGNATURE-----

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: