-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Advisory CA-94:11
Original issue date:  June 9, 1994
Last revised: August 30, 1996
              Information previously in the README was inserted
              into the advisory. Changed URL format.

              A complete revision history is at the end of this file.

Topic: Majordomo Vulnerabilities
- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of vulnerabilities in all
versions of Majordomo up to and including version 1.91. These vulnerabilities
enable intruders to gain access to the account that runs the Majordomo
software, even if the site has firewalls and TCP wrappers. 

We recommend that all sites running Majordomo replace their current version
with version 1.92 (see Section III for instructions).  It is possible to apply
a quick fix to versions prior to 1.92, but we strongly recommend obtaining
1.92 instead. 

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     Two vulnerabilities have recently been found in Majordomo. These
     vulnerabilities enable intruders to gain access to the account that 
     runs the Majordomo software, thus gaining the ability to execute 
     arbitrary commands. The vulnerabilities can be exploited without 
     a valid user name and password on the local machine, and firewalls 
     and TCP wrapper protection can be bypassed. The CERT/CC has received
     reports that the vulnerabilities are currently being exploited. 

II.  Impact

     Intruders can install and execute programs as the user running the
     Majordomo software.

III. Solution

     A.  Recommended solution for all versions through 1.92

         Obtain and install Majordomo version 1.93.

         This version is available from

         ftp://ftp.pgh.net/pub/majordomo/
         ftp://ftp.greatcircle.com/pub/majordomo/

        MD5 (majordomo-1.93.README) = 068bb343f23d3119cd196ed4222ab266
        MD5 (majordomo-1.93.tar.Z)  = c589a3c3d420d68e096eafdfdac0c8aa


     B.  Quick fix for versions 1.91 and earlier
         
         Until you are able to install the new version of Majordomo, you
         should install the following quick fix, which has two steps.
         If you are running Majordomo 1.90 and earlier, you must take both
         steps. If you are running version 1.91, you need only take the 
         first step. 

         Step 1 -  Disable new-list by either renaming the new-list program
                   or removing it from the aliases file. 

                   If you have version 1.90 and earlier, go on to Step 2.


         Step 2 -  In every place in the Majordomo code where there is a
                   string of any of these forms,

         "|/usr/lib/sendmail -f<whatever> $to"       #majordomo.pl
         "|/usr/lib/sendmail -f<whatever> $reply_to" #request-answer
         "|/usr/lib/sendmail -f<whatever> $reply_to $list-approval" # new-list
         "|/usr/lib/sendmail -f<whatever> \$to"      #majordomo.cf

                   Change that string to

                       "|/usr/lib/sendmail -f<whatever> -t"

                   Generally, you will find the strings in the request-answer
                   file, the majordomo.pl file, and your local majordomo.cf
                   file.


         Note: If you are running a mailer other than sendmail, this step 
               may not fix the vulnerability. You should obtain and install
               version 1.92 as described in Section A above.

- ---------------------------------------------------------------------------
The CERT Coordination Center thanks Brent Chapman of Great Circle
Associates and John Rouillard of the University of Massachusetts at
Boston for their support in responding to the problem.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT via electronic mail, CERT strongly advises that the e-mail be
encrypted.  CERT can support a shared DES key, PGP (public key
available via anonymous FTP on info.cert.org), or PEM (contact CERT
for details).

Internet E-mail: cert@cert.org
Telephone: 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous 
FTP from info.cert.org.

Copyright 1994, 1995, 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

CERT is a service mark of Carnegie Mellon University.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Aug. 30, 1996  Information previously in the README was inserted
               into the advisory. Changed URL format.

June 09, 1995  Sec. III.A - pointer to majordomo 1.93

June 1994      Sec. III.A - Added alternative FTP sites
               Sec. III.B - Revised step 2 of the workaround


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMiSoPnVP+x0t4w7BAQF2YwQAi0rNF/MEQ6JuuIHjqbxNDKfXvW3kl+y8
yGZif/VbsUJRs7EOYQAkjgr5+t2oRzt3Y4NgSt2xtxzq5TJiDOZxxevTPLVATZ7d
4lIPmhBl7Cuh6NtOeIyv4UtQghzl+lqjXBhTPCoTObWRjx17xba04QLUZd0g6CXf
0E5dlPKOyMg=
=+2Bq
-----END PGP SIGNATURE-----