Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25895
HistoryMar 10, 2011 - 12:00 a.m.

NSOADV-2011-003: Majordomo2 'help' Command Directory Traversal (Patch Bypass)

2011-03-1000:00:00
vulners.com
32

-------------------------- NSOADV-2011-003 ---------------------------

 Majordomo2 'help' Command Directory Traversal (Patch Bypass)


                           111101111
                    11111 00110 00110001111
               111111 01 01 1 11111011111111
            11111  0 11 01 0 11 1 1  111011001
         11111111101 1 11 0110111  1    1111101111
       1001  0 1 10 11 0 10 11 1111111  1 111 111001
     111111111 0 10 1111 0 11 11 111111111 1 1101 10
    00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
   10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
   0111111110 0110 1110 1 0 11101111111111111011 11100  00
   01111 0 10 1110 1 011111 1 111111111111111111111101 01
   01110 0 10 111110 110 0 11101111111111111111101111101
  111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
  111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1  1 111 1   10011 101111111111011111111 0   1100

111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111



Title: Majordomo2 'help' Command Directory Traversal
Severity: Medium
Advisory ID: NSOADV-2011-003
CVE: CVE-2011-0063
Found Date: 03.02.2011
Date Reported: 03.02.2011
Release Date: 19.02.2011
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website: http://sotiriu.de/
Twitter: http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt
Vendor/Project: http://www.mj2.org/
Affected Products: majordomo2 <= 20110203
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy

Background:

Majordomo 2 is an upwardly-compatible rewrite of the popular majordomo
mailing list manager software by Jason Tibbitts and Michael Yount.

Description:

Majordomo2 <= 20110203 is affected by a Directory Traversal
vulnerability due to parameter 'extra' of the 'help' command in the
function '_list_file_get()' is not properly sanitized.

The original bug was made public on 03.02.2011 by Michael Brooks
of sitewat.ch:

https://sitewat.ch/en/Advisory/View/1
https://bugzilla.mozilla.org/show_bug.cgi?id=628064

I discovered, that the patch, which is in the CVS since version 20110125
don't protect against the Directory Traversal bug.

https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481

The diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes
'…/' from $file. Bypassing this regex is quiet simple by using './…/'
insted '…/'.

Proof of Concept :

HTTP:
http://<target>/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&
extra=./…/./…/./…/./…/./…/./…/./…/./…/etc/passwd

SMTP:
help ./…/./…/./…/./…/./…/./…/./…/./…/etc/passwd

Solution:

Update to Majordomo2 >= 20110204

http://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz

References:

Sitewatch Advisory: https://sitewat.ch/en/Advisory/View/1
Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064
Patch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307

Disclosure Timeline (YYYY/MM/DD):

2011.02.03: Patch bypass vulnerability found
2011.02.03: Informed security [at] mozilla.org
2011.02.03: Mozilla opend Bug 631307 in bugzilla
2011.02.03: Jason Tibbitts comitted a fix (Sorry again)
2011.02.04: Snapshot available for download
2011.02.04: Discuss the public disclosure
2011.03.04: Got the Bug Bounty Money
2011.03.08: Release of Advisory

Related for SECURITYVULNS:DOC:25895