what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Gentoo Linux Security Advisory 200808-12

Gentoo Linux Security Advisory 200808-12
Posted Aug 15, 2008
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory GLSA 200808-12 - Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail to root-owned symlinks in an insecure manner under certain conditions. Normally, Postfix does not deliver mail to symlinks, except to root-owned symlinks, for compatibility with the systems using symlinks in /dev like Solaris. Furthermore, some systems like Linux allow to hardlink a symlink, while the POSIX.1-2001 standard requires that the symlink is followed. Depending on the write permissions and the delivery agent being used, this can lead to an arbitrary local file overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix delivery agent does not properly verify the ownership of a mailbox before delivering mail (CVE-2008-2937). Versions less than 2.5.3-r1 are affected.

tags | advisory, arbitrary, local, root
systems | linux, solaris, suse, osx, gentoo
advisories | CVE-2008-2936, CVE-2008-2937
SHA-256 | d497bc162a46389e6722a35709f7ab1c3bd832aedc68b2878c475b7a46f79038

Gentoo Linux Security Advisory 200808-12

Change Mirror Download
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200808-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Postfix: Local privilege escalation vulnerability
Date: August 14, 2008
Bugs: #232642
ID: 200808-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Postfix incorrectly checks the ownership of a mailbox, allowing, in
certain circumstances, to append data to arbitrary files on a local
system with root privileges.

Background
==========

Postfix is Wietse Venema's mailer that attempts to be fast, easy to
administer, and secure, as an alternative to the widely-used Sendmail
program.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 mail-mta/postfix < 2.5.3-r1 *>= 2.4.7-r1
>= 2.5.3-r1

Description
===========

Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail
to root-owned symlinks in an insecure manner under certain conditions.
Normally, Postfix does not deliver mail to symlinks, except to
root-owned symlinks, for compatibility with the systems using symlinks
in /dev like Solaris. Furthermore, some systems like Linux allow to
hardlink a symlink, while the POSIX.1-2001 standard requires that the
symlink is followed. Depending on the write permissions and the
delivery agent being used, this can lead to an arbitrary local file
overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix
delivery agent does not properly verify the ownership of a mailbox
before delivering mail (CVE-2008-2937).

Impact
======

The combination of these features allows a local attacker to hardlink a
root-owned symlink such that the newly created symlink would be
root-owned and would point to a regular file (or another symlink) that
would be written by the Postfix built-in local(8) or virtual(8)
delivery agents, regardless the ownership of the final destination
regular file. Depending on the write permissions of the spool mail
directory, the delivery style, and the existence of a root mailbox,
this could allow a local attacker to append a mail to an arbitrary file
like /etc/passwd in order to gain root privileges.

The default configuration of Gentoo Linux does not permit any kind of
user privilege escalation.

The second vulnerability (CVE-2008-2937) allows a local attacker,
already having write permissions to the mail spool directory which is
not the case on Gentoo by default, to create a previously nonexistent
mailbox before Postfix creates it, allowing to read the mail of another
user on the system.

Workaround
==========

The following conditions should be met in order to be vulnerable to
local privilege escalation.

* The mail delivery style is mailbox, with the Postfix built-in
local(8) or virtual(8) delivery agents.

* The mail spool directory (/var/spool/mail) is user-writeable.

* The user can create hardlinks pointing to root-owned symlinks
located in other directories.

Consequently, each one of the following workarounds is efficient.

* Verify that your /var/spool/mail directory is not writeable by a
user. Normally on Gentoo, only the mail group has write access, and
no end-user should be granted the mail group ownership.

* Prevent the local users from being able to create hardlinks
pointing outside of the /var/spool/mail directory, e.g. with a
dedicated partition.

* Use a non-builtin Postfix delivery agent, like procmail or
maildrop.

* Use the maildir delivery style of Postfix ("home_mailbox=Maildir/"
for example).

Concerning the second vulnerability, check the write permissions of
/var/spool/mail, or check that every Unix account already has a
mailbox, by using Wietse Venema's Perl script available in the official
advisory.

Resolution
==========

All Postfix users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1"

References
==========

[ 1 ] CVE-2008-2936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936
[ 2 ] CVE-2008-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937
[ 3 ] Official Advisory
http://article.gmane.org/gmane.mail.postfix.announce/110

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200808-12.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close