NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-12

Subject: ezmlm-cgi/ezmlm-idx-0.40 security advisory
From: Frederik Lindberg (fredCHEETAHMAIL.COM)
Date: Thu Dec 07 2000 - 13:35:05 CST

Next message: c0ncept: "format string in ssl dump"
Previous message: Robert Feldbauer: "Re: Killing ircds via DNS"
In reply to: Frederik Lindberg: "Re: ezmlm-cgi"
Reply: Frederik Lindberg: "ezmlm-cgi/ezmlm-idx-0.40 security advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Summary:
ezmlm-cgi is part of the ezmlm-idx-0.40.tar.gz package and allows web
access to mailing list archives. When ezmlm-cgi is installed SUID (user
other than root), it can be used to execute arbitrary commands with the
effective uid of the SUID user.

Scope:
Default installations of ezmlm-idx-0.40 are not vulnerable since
ezmlm-cgi is not installed SUID by default. SUID root installations are
not vulnerable since ezmlm-cgi uses a fixed configuration file location
and drops privileges in this execution mode. SUID user (user != root)
installations are discussed in the man page, but should be rare. Their
vulnerability depends on group and world execute permissions of the
ezmlm-cgi binary.

Credit:
Thanks vortfu (vortwiretapped.net) for reporting this. I sincerely
apologize for my initial somewhat obnoxious follow-up post.

ezmlm-idx-0.40 is an add-on to Dan Bernstein's ezmlm-0.53 package. The
responsibility for this flaw is entirely mine (Dan would never make a
mistake like this).

Details:
ezmlm-cgi can be installed by a user to allow web access to that user's
mailing list archives. It reads a config file from the working
directory. The config file can contain a banner program name. This
program is executed by ezmlm-cgi. ezmlm-cgi can be installed SUID root.
In this case, ezmlm-cgi reads a config file from /etc, chdir/chroot to
the list directory, drops root privileges, verifies this, then
optionally executes a banner program.

When installed SUID user != root, ezmlm-cgi behaves just as for normal
installs. A user with execute permissions to the ezmlm-cgi binary can
create his own config file directing ezmlm-cgi to execute an arbitrary
program with the effective user id of the ezmlm-cgi binary.

Fix:
A patched version of ezmlm-cgi.c, ezmlm-cgi.1 (man page), as well as
the patch (ezmlm-cgi.patch) are available from
ftp://ftp.ezmlm.org/pub/patches/ and http://www.ezmlm.org/pub/patches/.
This version removes the support for the execution of banner programs.
HTML banners are still supported. The (small) patch can also be found
below.

Alternatively, assure that you have not installed ezmlm-cgi SUID user.

Sincerely, Fred Lindberg

--
--- ezmlm-cgi.c.orig	Thu Dec  7 13:26:45 2000
+++ ezmlm-cgi.c	Thu Dec  7 13:36:30 2000
 -805,31 +805,8 
   if ((flagspecial & SPC_BANNER) && banner && *banner) {
     oputs("<DIV class=banner>\n");
     if (*banner == '<') oputs(banner);
-    else {
-      substdio_flush(&ssout);
-      sig_pipeignore();
-      bannerargs[0] = banner;
-      bannerargs[1] = host;
-      bannerargs[2] = local;
-      bannerargs[3] = 0;
-	/* We log errors but just complete the page anyway, since
we're */
-	/* already committed to output something. */
-      switch(child = fork()) {
-        case -1:
-          strerr_warn3(FATAL,ERR_FORK,"banner program: ",&strerr_sys);
-          break;
-        case 0:
-          execv(*bannerargs,bannerargs);
-          strerr_die3x(100,FATAL,ERR_EXECUTE,"banner program: ");
-	  break;
-      }
-         /* parent */
-      wait_pid(&wstat,child);
-      if (wait_crashed(wstat))
-        strerr_warn2(FATAL,ERR_CHILD_CRASHED,(struct strerr *) 0);
-      if (wait_exitcode(wstat))
-        strerr_warn2(FATAL,ERR_CHILD_UNKNOWN,(struct strerr *) 0);
-    }
+    else
+      strerr_die2x(100,FATAL,"Sorry - banner programs not supported");
     oputs("</DIV>\n");
   }
   oputs("</BODY>\n\n");
--- ezmlm-cgi.1.orig	Thu Dec  7 13:40:43 2000
+++ ezmlm-cgi.1	Thu Dec  7 13:56:44 2000
 -234,16 +234,21 
 to avoid trapping robots in the archive.
 .SH EXECUTION
 .B ezmlm-cgi
-can operate in three modes,
-.IR SUID\ root ,
-.IR SUID\ user ,
+can operate in two modes,
+.I SUID\ root
 and
 .IR normal .
+.B ezmlm-cgi
+should not be installed SUID
+.I user
+other than root.
+Please see the
+.B SECURITY
+section before installing SUID
+.IR root .
 In
 .I normal
-and
-.I SUID user
 mode,
 .B ezmlm-cgi
 will read the configuration file
 -255,9 +260,7 
 .B ezmlm-cgi
 is in), then
 change directory to the list directory. ``uid'' is ignored.
-.I SUID user
-may be required to read the particular archive if it is not owned by
the
-httpd user. For user installations or systems where
+For user installations or systems where
 the httpd user has access to all the lists,
 .I normal
 mode usually gives sufficient access.
 -277,22 +280,10 
 directory is not, it is safest to leave ``uid'' blank. The httpd user
will still
 be able to read the files.
 .SH "EXECUTION OF BANNER PROGRAMS"
-A banner program can be specified in the config file. It is executed
-immediately before the end of the text. The formatting for
-``<BODY>'' is active and the banner program output is encapsulated in
-a ``<DIV class=banner>'' segment to allow additional formatting.
-The banner program is called for all summary views, but not for the
message
-view itself.
-
-The banner program is give the list local name as argument 1, and the
host
-name as argument 2. It is expected to exit 0 on success. The return
code is
-checked, but the archive page (and whatever the banner program has
already
-produced) is output even if the banner program fails.
-
-.B chroot(3)
-may make it difficult to run banner programs that depend on e.g.
``sh''
-or ``perl''. For this reason, the chroot call can be suppressed by
prefixing
-the ``uid'' with a ``-''.
+.B ezmlm-cgi
+supports display of banners, but not execution of banner programs. To
+obtain dynamic banners, use a URL that points to a banner program
elsewhere.
+
 .SH SECURITY
 .B ezmlm-cgi
 will refuse to run as root.
 -308,14 +299,8 
 list directories and archives).
 .B ezmlm-cgi
-will allow execution of banner programs that are located outside of
the list
-directory. These are executed with the privileges of the userid set in
the
-config file. If the program is installed SUID root, banner programs
outside
-of the list directory are not normally accessible. Even when this is
overridden,
-.B ezmlm-cgi
-will never execute the program with root permissions.
+will not allow execution of banner programs.
-Input to the CGI script is not propagated to the banner program.
 .SH BUGS
 .B ezmlm-send(1)
 updates the list message counter once a message is safely archived,
but
-- Sincerely, Fred
Frederik Lindberg, CTO, CheetahMail

Next message: c0ncept: "format string in ssl dump"
Previous message: Robert Feldbauer: "Re: Killing ircds via DNS"
In reply to: Frederik Lindberg: "Re: ezmlm-cgi"
Reply: Frederik Lindberg: "ezmlm-cgi/ezmlm-idx-0.40 security advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]