Ezmlm is an easy to use mailing list manager that uses qmail as the SMTP agent. Ezmlm-CGI is a CGI application that allow list archiving and viewing over the web. Documentation states that the CGI should be installed suid root, but in a real world environment, many are not likely to blindly setuid root any files they download of the web. This causes a vulnerability in the way ezmlm-cgi handles configuration files.
Credit:
The information has been provided by vort-fu.
Vulnerable systems:
ezmlm-cgi version 0.4 (part of ezmlm-idx-0.40)
Typically, ezmlm-cgi is setuid to a specific user, allowing the CGI to access the mailing list configurations for that particular user. However, when not installed suid root, ezmlm-cgi will attempt to read the configuration file from the cwd instead of /etc/ezmlm/. Therefore, it is possible for local users to create their own configuration files and have ezmlm-cgi execute any arbitrary commands under the euid of the file.
It is interesting to note that although it requests to be installed suid root, ezmlm-cgi doesn't drop privileges when executing the banner directive of the configuration file nor does it make any attempt to read the configuration from the base directory where the program is stored.
