Majordomo2 Directory Traversal

2011.03.10

Credit: Nikolas Sotiriu

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

______________________________________________________________________
-------------------------- NSOADV-2011-003 ---------------------------

     Majordomo2 'help' Command Directory Traversal (Patch Bypass)
______________________________________________________________________
______________________________________________________________________

                               111101111
                        11111 00110 00110001111
                   111111 01 01 1 11111011111111
                11111  0 11 01 0 11 1 1  111011001
             11111111101 1 11 0110111  1    1111101111
           1001  0 1 10 11 0 10 11 1111111  1 111 111001
         111111111 0 10 1111 0 11 11 111111111 1 1101 10
        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
       0111111110 0110 1110 1 0 11101111111111111011 11100  00
       01111 0 10 1110 1 011111 1 111111111111111111111101 01
       01110 0 10 111110 110 0 11101111111111111111101111101
      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
      111110110 10 0111110 1 0 0 1111111111111111111111111 110
    111 11111 1  1 111 1   10011 101111111111011111111 0   1100
   111 10  110 101011110010   11111111111111111111111 11 0011100
   11 10     001100     0001      111111111111111111 10 11 11110
  11110       00100      00001     10 1  1111  101010001 11111111
  11101        0  1011     10000    00100 11100        00001101 0
  0110         111011011             0110   10001        101 11110
  1011                 1             10 101   000001        01   00
   1010 1                              11001      1 1        101  10
      110101011                          0 101                 11110
            110000011
                      111
______________________________________________________________________
______________________________________________________________________

  Title:                  Majordomo2 'help' Command Directory Traversal
  Severity:               Medium
  Advisory ID:            NSOADV-2011-003
  CVE:                    CVE-2011-0063
  Found Date:             03.02.2011
  Date Reported:          03.02.2011
  Release Date:           19.02.2011
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research at sotiriu.de
  Website:                http://sotiriu.de/
  Twitter:                http://twitter.com/nsoresearch
  Advisory-URL:           http://sotiriu.de/adv/NSOADV-2011-003.txt
  Vendor/Project:         http://www.mj2.org/
  Affected Products:      majordomo2 <= 20110203
  Remote Exploitable:     Yes
  Local Exploitable:      No
  Patch Status:           Vendor released a patch (See Solution)
  Discovered by:          Nikolas Sotiriu
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
===========

Majordomo 2 is an upwardly-compatible rewrite of the popular majordomo
mailing list manager software by Jason Tibbitts and Michael Yount.



Description:
============

Majordomo2 <= 20110203 is affected by a Directory Traversal
vulnerability due to parameter 'extra' of the 'help' command in the
function '_list_file_get()' is not properly sanitized.

The original bug was made public on 03.02.2011 by Michael Brooks
of sitewat.ch:

https://sitewat.ch/en/Advisory/View/1
https://bugzilla.mozilla.org/show_bug.cgi?id=628064

I discovered, that the patch, which is in the CVS since version 20110125
don't protect against the Directory Traversal bug.

https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481

The diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes
'../' from $file. Bypassing this regex is quiet simple by using './.../'
insted '../'.



Proof of Concept :
==================

HTTP:
http://<target>/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&
extra=./..././..././..././..././..././..././..././.../etc/passwd

SMTP:
help ./..././..././..././..././..././..././..././.../etc/passwd



Solution:
=========

Update to Majordomo2 >= 20110204

http://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz



References:
===========

Sitewatch Advisory: https://sitewat.ch/en/Advisory/View/1
Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064
Patch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307



Disclosure Timeline (YYYY/MM/DD):
=================================

2011.02.03: Patch bypass vulnerability found
2011.02.03: Informed security [at] mozilla.org
2011.02.03: Mozilla opend Bug 631307 in bugzilla
2011.02.03: Jason Tibbitts comitted a fix (Sorry again)
2011.02.04: Snapshot available for download
2011.02.04: Discuss the public disclosure
2011.03.04: Got the Bug Bounty Money
2011.03.08: Release of Advisory






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Majordomo2 Directory Traversal

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.