|Main Archive Page > Month Archives > full-disclosure-uk archives|
-----BEGIN PGP SIGNED MESSAGE-----
The recent vulnerability in Postfix discovered by Sebastian Krahmer is trivially exploitable when certain preconditions are met. Nevertheless, it's very difficult to find such conditions in a real-world scenario. I wrote this exploit for fun and to demonstrate that. I also hope it helps sysadmins to check and test their systems.
I used an Ubuntu/Debian (IA32) system which *I had to make vulnerable on
purpose*. The tweaks were:
- - #1: make the spool writable to attacker
chmod o+w /var/mail
- - #2: disable mail aliases (LDA should be able to deliver mail directly to
- - #3: use "local" postfix process as LDA
Perhaps condition #1 is the most difficult to meet, for a normal (non-privileged) user. But think about a privilege escalation if you manage to get into the "mail" group first (spool dir is tipically writable by members of "mail" group).
For #2, it depends on configuration, but Ubuntu/Debian usually creates an alias for "root", so that mail is delivered to a non-root account (and making the system non vulnerable to this exploit).
When installing Postfix, you are asked to choose a local delivery agent (LDA). I found one of my test systems using procmail (not vulnerable) and another one using postfix built-in LDA (vulnerable).
For a quick test, normally, it will be sufficient to append the following
lines to /etc/postfix/main.cf:
(left blank intentionally)
Finally, postfix should be refreshed:
There are other preconditions like:
- - #4: postfix should not be using maildir-style mailboxes
My script tries to do its best to check for these conditions (postfix config is very flexible, I only checked some typical parameters). Feel free to write me for corrections, etc.
PS: I didn't find Wietse's nice advisory  on postfix.org site (or at least, if it exists, it's not easy to find it). Although it seems that some non-POSIX issues in OS are contributing to the vulnerability, IMHO it's a (low-medium risk) vulnerability in Postfix and it deserves to be listed on postfix page. Despite this issue, Postfix continues being one of the best mail server software ever made and my favourite MTA.
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
-----END PGP SIGNATURE-----