Majordomo info leakage, all versions

From: Marco van Berkum (m.v.berkum@obit.nl)
Date: 02/04/03

  • Next message: GreyMagic Software: "Opera: What's Next (GM#005-OP)"
    Date: Tue, 04 Feb 2003 03:30:54 +0100
    From: Marco van Berkum <m.v.berkum@obit.nl>
    To: bugtraq@securityfocus.com
    
    

    -------------------------------------------------------------------------------
    Title : Majordomo info leakage (all versions)
    Date : 03/02/2003
    Article by : Marco van Berkum (m.v.berkum@obit.nl)
    Bug finder : Jakub Klausa (jacke@bofh.pl)
    Investigated by : Jakub Klausa and Marco van Berkum
    -------------------------------------------------------------------------------

    Introduction:
    --------------
    Some while ago Jakub Klausa mailed me about a problem regarding the
    Majordomo mailinglist program. At first we were not sure if it was a one
    time problem or a common issue, so we checked several other servers
    and installed Majordomo ourselves and found ALL Majordomo versions to
    be vulnerable, also the latest Majordomo 2 (alpha).

    The problem:
    ---------------
    All email addresses can be extracted from mailinglists for which
    'which_access' is set to "open" in the configuration file, which_access
    is set to "open" by default !!

     Majordomo 1.94.5 documentation quote:

        "8. By default, anyone (even non-subscribers) can use the commands
             "who", "which", "index", and "get" on a list. If you create an
             empty file named "listname.private" in the $listdir directory, only
             members of the list can use those commands."

    Typical case of RTFDOC of course, but still, why isn't the private
    configuration file the default one (?!), now people actually have to read
    the documentation to protect their lists against evil spammers. We all
    know that admins do not always read the docs (uhuh).

    So this bug can be exploited without being subscribed to any mailinglist
    on that server when "which_access" is set to open. This bug can be exploited
    by sending:

       which @

       or

       which .

    To the Majordomo daemon. Majordomo will then match "@" (or ".") on all the
    mailinglists that have 'which_access' set to "open". This then matches
    all email addresses that are subscribed to that list.

    There is a slight difference between the new Majordomo 2 (alpha) and the
    current Majordomo 1.94.x branch.

    Majordomo 1.94.x gives output such as this:

    >>>> which @
    The string '@' appears in the following
    entries in lists served by majordomo@somedomain.com:

    List Address
    ==== =======
    test-list user@somedomain.com
    test-list anotheruser@anotherdomain.com
    another-list satan@evilmajordomodomain.net
    another-list bush@sopranos.org

    etc...

    Majordomo 2 also has the bug, not as much as the 1.94.x though:

    >>>> which @
    The pattern "/\@/i"
    matched the following subscriptions.

    Matches for the devils mailing list:
      satan@majordomo.org
    -- Match limit of 1 for devils exceeded.

    Matches for the britney mailing list:
      eminem@spears.net
    -- Match limit of 1 for britney exceeded.

    Impact:
    -------
    High. Not only privacy is the issue here, this bug could be used by evil
    spammers to fill their databases. And the users did much of their work for
    them already, as the victims are usually well targeted (subject-specific
    mailinglists come to mind).

    Solution:
    ---------
    general:
    Read the documentation regarding $listname.private and set all which_access
    to "closed", or update to Majordomo 2 alpha, which still requires the same attention.

    Majordomo 1.94.5 and earlier:
    As mentioned by the documentation that comes with Majordomo 1.94.5,
    create an empty file named "$listname.private" in the $listdir.
    It will only reduce the group of people being able to pick up all the addresses
    to the ones subscribed to the list. Check your current configurations for
    open which_access, close them.

    Majordomo 2:
    The authors responded quickly and changed default configuration settings
    to be "closed". Get the latest CVS version, and check your current
    configurations for open which_access, which_access should be closed at
    any time.

    Jakub made a patch for Majordomo 1.94.5.

    [Patch]
    This is a patch for Majordomo 1.94.5, which makes the Majordomo
    ignore the 'which' request if they don't contain e-mail address-like
    string as a parameter (roughly).

    --- majordomo.orig Mon Feb 3 13:23:45 2003
    +++ majordomo Mon Feb 3 13:23:23 2003
    @@ -624,6 +624,11 @@
     
     sub do_which {
         local($subscriber) = join(" ", @_) || &valid_addr($reply_to);
    + if ($subscriber !~ /^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+\.[a-zA-Z]{2,3}$/) {
    +
    + &log("which abuse -> $subscriber passed as an argument.");
    + exit(0);
    + };
         local($count, $per_list_hits) = 0;
         # Tell the requestor which lists they are on by reading through all
         # the lists, comparing their address to each address from each list

    Cheers

    Marco van Berkum / http://ws.obit.nl / m.v.berkum@obit.nl
    Jakub Klausa / jacke@bofh.pl

    -- 
    find / -user your -name base -exec chown us:us {}\;
     ----------------------------------------
    |    Marco van Berkum / MB17300-RIPE     |
    | m.v.berkum@obit.nl / http://ws.obit.nl |
     ----------------------------------------
    


    Relevant Pages

    • Re: bulk mailer
      ... Majordomo in it's default configuration does not actually send mail to ... Majordomo actually does very little except authentication. ... > emails sent to our lists (nobody has ever needed these archives but ...
      (AIX-L)
    • [Full-Disclosure] Majordomo info leakage, all versions
      ... Majordomo mailinglist program. ... configuration file the default one, now people actually have to read ... the documentation to protect their lists against evil spammers. ... mailinglists that have 'which_access' set to "open". ...
      (Full-Disclosure)
    • Re: [ISN] Majordomo Could Mean Major Spam
      ... I suppose I should disclaim this by saying that I don't get spam at this ... > of 80 subject related emails a day from the two lists on bugtraq I want. ... Perhaps Majordomo is partly to blame. ... > using a little-known but documented feature in the Majordomo server ...
      (Security-Basics)
    • AW: [ISN] Majordomo Could Mean Major Spam
      ... I seriously doubt that spammers will really process the robots.txt. ... If you look at the web archives of securityfocus lists you will see that the ... Betreff: Re: Majordomo Could Mean Major Spam ...
      (Security-Basics)
    • Mail problems with Solaris9 and Majordomo1.94.5
      ... I am setting up a list server on a Sunfire V120. ... I am having problems sending requests for lists usage to ... The majordomo userid is majord. ... Command 'this' not recognized. ...
      (SunManagers)