Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#12330 - Privilege escalation (root) in extra/postfix 2.5.3-1

Attached to Project: Arch Linux
Opened by hyperb0lix (hyperb0lix) - Wednesday, 03 December 2008, 08:32 GMT
Last edited by Paul Mattal (paul) - Wednesday, 03 December 2008, 21:56 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Dale Blount (dale)
Paul Mattal (paul)
Eric Belanger (Snowman)
Architecture All
Severity Critical
Priority Normal
Reported Version None
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

extra/postfix 2.5.3-1 suffers from a privilege escalation vulnerability. If an attacker has local access, he or she can easily obtain a root shell. This vulnerability has been left unpatched since August.

Additional info:

* package version(s)
extra/postfix 2.5.3-1

* config and/or log files etc.
See below and attached.

Steps to reproduce:

[~] postconf mail_version
mail_version = 2.5.3
[~] whoami
hyperb0lix
[~] ./rs_pocfix.sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com>
# *** MODIFIED ***
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
[*] Postfix seems to be installed
[*] Hardlink to symlink not dereferenced
[*] Spool dir is writable
[*] Backed up: /etc/passwd (saved as "/tmp/pocfix_target_backup.8831")
[*] Sending mail (5 seconds wait)
[*] Exploit successful (appended data to /etc/passwd)
[*] Enter "postfux" for the password
Password:
[hyperb0lix] whoami
root

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936
This task depends upon

Closed by  Paul Mattal (paul)
Wednesday, 03 December 2008, 21:56 GMT
Reason for closing:  Fixed
Comment by hyperb0lix (hyperb0lix) - Wednesday, 03 December 2008, 08:43 GMT
Agh, something is up with my browser. The file was attached to my previous comment. Sorry.
Comment by Jan de Groot (JGC) - Wednesday, 03 December 2008, 08:54 GMT
I deleted your comment with attachment, as I don't like the fact that we're hosting exploits.
Comment by hyperb0lix (hyperb0lix) - Wednesday, 03 December 2008, 08:57 GMT
I had second thoughts about posting it, but it was too late. Thank you for removing my comment. :)
Comment by Dale Blount (dale) - Wednesday, 03 December 2008, 13:23 GMT
Eric / Paul - please let me know if either of you start on this. I should have time in 10 hours or so to work on this if it's not done by then.
Comment by Paul Mattal (paul) - Wednesday, 03 December 2008, 14:01 GMT
It appears that all that is required is the upgrade to 2.5.5. I'll try building and testing this.
Comment by Paul Mattal (paul) - Wednesday, 03 December 2008, 14:24 GMT
I've built 2.5.5 for both arches in testing and the i686 is currently running on one of my servers.

If at least one other person can sign off, we can move them to extra.
Comment by hyperb0lix (hyperb0lix) - Wednesday, 03 December 2008, 17:06 GMT
Thanks for the swift response, everyone. I appreciate it, as I do use Postfix.
Comment by Eric Belanger (Snowman) - Wednesday, 03 December 2008, 20:11 GMT
I don't use this stuff so I can't really test it in depth. I would say: if the i686 package seems to run fine on your server and if you can start/stop the daemon of the x86_64 package, then push it to extra. This is a security issue so we want to fix (i.e. update) the package in extra ASAP.
Comment by Paul Mattal (paul) - Wednesday, 03 December 2008, 21:56 GMT
Tested thusly and moved.

Loading...