Detections
Analytics
GLSA-200808-12 : Postfix: Local privilege escalation vulnerability
medium Nessus Plugin ID 33891
Synopsis
The remote Gentoo host is missing one or more security-related patches.Description
The remote host is affected by the vulnerability described in GLSA-200808-12 (Postfix: Local privilege escalation vulnerability)Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail to root-owned symlinks in an insecure manner under certain conditions.
Normally, Postfix does not deliver mail to symlinks, except to root-owned symlinks, for compatibility with the systems using symlinks in /dev like Solaris. Furthermore, some systems like Linux allow to hardlink a symlink, while the POSIX.1-2001 standard requires that the symlink is followed. Depending on the write permissions and the delivery agent being used, this can lead to an arbitrary local file overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix delivery agent does not properly verify the ownership of a mailbox before delivering mail (CVE-2008-2937).
Impact :
The combination of these features allows a local attacker to hardlink a root-owned symlink such that the newly created symlink would be root-owned and would point to a regular file (or another symlink) that would be written by the Postfix built-in local(8) or virtual(8) delivery agents, regardless the ownership of the final destination regular file. Depending on the write permissions of the spool mail directory, the delivery style, and the existence of a root mailbox, this could allow a local attacker to append a mail to an arbitrary file like /etc/passwd in order to gain root privileges.
The default configuration of Gentoo Linux does not permit any kind of user privilege escalation.
The second vulnerability (CVE-2008-2937) allows a local attacker, already having write permissions to the mail spool directory which is not the case on Gentoo by default, to create a previously nonexistent mailbox before Postfix creates it, allowing to read the mail of another user on the system.
Workaround :
The following conditions should be met in order to be vulnerable to local privilege escalation.
The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents.
The mail spool directory (/var/spool/mail) is user-writeable.
The user can create hardlinks pointing to root-owned symlinks located in other directories.
Consequently, each one of the following workarounds is efficient.
Verify that your /var/spool/mail directory is not writeable by a user. Normally on Gentoo, only the mail group has write access, and no end-user should be granted the mail group ownership.
Prevent the local users from being able to create hardlinks pointing outside of the /var/spool/mail directory, e.g. with a dedicated partition.
Use a non-builtin Postfix delivery agent, like procmail or maildrop.
Use the maildir delivery style of Postfix ('home_mailbox=Maildir/' for example).
Concerning the second vulnerability, check the write permissions of /var/spool/mail, or check that every Unix account already has a mailbox, by using Wietse Venema's Perl script available in the official advisory.
Solution
All Postfix users should upgrade to the latest version:# emerge --sync # emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.5.3-r1'
See Also
Plugin Details
Severity: Medium
ID: 33891
File Name: gentoo_GLSA-200808-12.nasl
Version: 1.18
Type: local
Family: Gentoo Local Security Checks
Published: 8/15/2008
Updated: 1/6/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: High
Score: 8.9
CVSS v2
Risk Factor: Medium
Base Score: 6.2
Temporal Score: 4.9
Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C
Vulnerability Information
CPE: p-cpe:/a:gentoo:linux:postfix, cpe:/o:gentoo:linux
Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 8/14/2008
Vulnerability Publication Date: 8/18/2008
Reference Information
CVE: CVE-2008-2936, CVE-2008-2937