[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Majordomo Vulnerabilities

Title: Majordomo Vulnerabilities
Released by: CERT
Date: 9th June 1994
Printable version: Click here

Hash: SHA1


CERT(*) Advisory CA-94:11

Original issue date:  June 9, 1994

Last revised: September 23, 1997

                updated copyright statement

Topic: Majordomo Vulnerabilities

- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of vulnerabilities in all

versions of Majordomo up to and including version 1.91. These vulnerabilities

enable intruders to gain access to the account that runs the Majordomo

software, even if the site has firewalls and TCP wrappers.

We recommend that all sites running Majordomo replace their current version

with version 1.92 (see Section III for instructions).  It is possible to apply

a quick fix to versions prior to 1.92, but we strongly recommend obtaining

1.92 instead.

We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     Two vulnerabilities have recently been found in Majordomo. These

     vulnerabilities enable intruders to gain access to the account that

     runs the Majordomo software, thus gaining the ability to execute

     arbitrary commands. The vulnerabilities can be exploited without

     a valid user name and password on the local machine, and firewalls

     and TCP wrapper protection can be bypassed. The CERT/CC has received

     reports that the vulnerabilities are currently being exploited.

II.  Impact

     Intruders can install and execute programs as the user running the

     Majordomo software.

III. Solution

     A.  Recommended solution for all versions through 1.92

         Obtain and install Majordomo version 1.93.

         This version is available from



        MD5 (majordomo-1.93.README) = 068bb343f23d3119cd196ed4222ab266

        MD5 (majordomo-1.93.tar.Z)  = c589a3c3d420d68e096eafdfdac0c8aa

     B.  Quick fix for versions 1.91 and earlier

         Until you are able to install the new version of Majordomo, you

         should install the following quick fix, which has two steps.

         If you are running Majordomo 1.90 and earlier, you must take both

         steps. If you are running version 1.91, you need only take the

         first step.

         Step 1 -  Disable new-list by either renaming the new-list program

                   or removing it from the aliases file.

                   If you have version 1.90 and earlier, go on to Step 2.

         Step 2 -  In every place in the Majordomo code where there is a

                   string of any of these forms,

         "|/usr/lib/sendmail -f $to"       #majordomo.pl

         "|/usr/lib/sendmail -f $reply_to" #request-answer

         "|/usr/lib/sendmail -f $reply_to $list-approval" # new-list

         "|/usr/lib/sendmail -f \$to"      #majordomo.cf

                   Change that string to

                       "|/usr/lib/sendmail -f -t"

                   Generally, you will find the strings in the request-answer

                   file, the majordomo.pl file, and your local majordomo.cf


         Note: If you are running a mailer other than sendmail, this step

               may not fix the vulnerability. You should obtain and install

               version 1.92 as described in Section A above.

- ---------------------------------------------------------------------------

The CERT Coordination Center thanks Brent Chapman of Great Circle

Associates and John Rouillard of the University of Massachusetts at

Boston for their support in responding to the problem.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in Forum of Incident

Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to

CERT via electronic mail, CERT strongly advises that the e-mail be

encrypted.  CERT can support a shared DES key, PGP (public key

available via anonymous FTP on info.cert.org), or PEM (contact CERT

for details).

Internet E-mail: cert@cert.org

Telephone: 412-268-7090 (24-hour hotline)

           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),

           and are on call for emergencies during other hours.

CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890


Past advisories, information about FIRST representatives, and other

information related to computer security are available for anonymous

FTP from info.cert.org.

- ------------------------------------------------------------------------------

Copyright 1994, 1995, 1996 Carnegie Mellon University. Conditions for use,

disclaimers, and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision history

Sep. 23, 1997  Updated copyright statement

Aug. 30, 1996  Information previously in the README was inserted

               into the advisory. Changed URL format.

June 09, 1995  Sec. III.A - pointer to majordomo 1.93

June 1994      Sec. III.A - Added alternative FTP sites

               Sec. III.B - Revised step 2 of the workaround


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.