[gentoo-announce] [ GLSA 200808-12 ] Postfix: Local privilege escalation vulnerability - gentoo-announce

From:	Raphael Marichez <falco@g.o>
To:	gentoo-announce@g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200808-12 ] Postfix: Local privilege escalation vulnerability
Date:	Thu, 14 Aug 2008 22:44:04
Message-Id:	`20080814224107.GA28755@falco.falcal.net`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200808-12

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: Postfix: Local privilege escalation vulnerability

9

      Date: August 14, 2008

10

      Bugs: #232642

11

        ID: 200808-12

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Postfix incorrectly checks the ownership of a mailbox, allowing, in

19

certain circumstances, to append data to arbitrary files on a local

20

system with root privileges.

21

22

Background

23

==========

24

25

Postfix is Wietse Venema's mailer that attempts to be fast, easy to

26

administer, and secure, as an alternative to the widely-used Sendmail

27

program.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package           /  Vulnerable  /                     Unaffected

34

    -------------------------------------------------------------------

35

  1  mail-mta/postfix     < 2.5.3-r1                      *>= 2.4.7-r1

36

                                                           >= 2.5.3-r1

37

38

Description

39

===========

40

41

Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail

42

to root-owned symlinks in an insecure manner under certain conditions.

43

Normally, Postfix does not deliver mail to symlinks, except to

44

root-owned symlinks, for compatibility with the systems using symlinks

45

in /dev like Solaris. Furthermore, some systems like Linux allow to

46

hardlink a symlink, while the POSIX.1-2001 standard requires that the

47

symlink is followed. Depending on the write permissions and the

48

delivery agent being used, this can lead to an arbitrary local file

49

overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix

50

delivery agent does not properly verify the ownership of a mailbox

51

before delivering mail (CVE-2008-2937).

52

53

Impact

54

======

55

56

The combination of these features allows a local attacker to hardlink a

57

root-owned symlink such that the newly created symlink would be

58

root-owned and would point to a regular file (or another symlink) that

59

would be written by the Postfix built-in local(8) or virtual(8)

60

delivery agents, regardless the ownership of the final destination

61

regular file. Depending on the write permissions of the spool mail

62

directory, the delivery style, and the existence of a root mailbox,

63

this could allow a local attacker to append a mail to an arbitrary file

64

like /etc/passwd in order to gain root privileges.

65

66

The default configuration of Gentoo Linux does not permit any kind of

67

user privilege escalation.

68

69

The second vulnerability (CVE-2008-2937) allows a local attacker,

70

already having write permissions to the mail spool directory which is

71

not the case on Gentoo by default, to create a previously nonexistent

72

mailbox before Postfix creates it, allowing to read the mail of another

73

user on the system.

74

75

Workaround

76

==========

77

78

The following conditions should be met in order to be vulnerable to

79

local privilege escalation.

80

81

* The mail delivery style is mailbox, with the Postfix built-in

82

  local(8) or virtual(8) delivery agents.

83

84

* The mail spool directory (/var/spool/mail) is user-writeable.

85

86

* The user can create hardlinks pointing to root-owned symlinks

87

  located in other directories.

88

89

Consequently, each one of the following workarounds is efficient.

90

91

* Verify that your /var/spool/mail directory is not writeable by a

92

  user. Normally on Gentoo, only the mail group has write access, and

93

  no end-user should be granted the mail group ownership.

94

95

* Prevent the local users from being able to create hardlinks

96

  pointing outside of the /var/spool/mail directory, e.g. with a

97

  dedicated partition.

98

99

* Use a non-builtin Postfix delivery agent, like procmail or

100

  maildrop.

101

102

* Use the maildir delivery style of Postfix ("home_mailbox=Maildir/"

103

  for example).

104

105

Concerning the second vulnerability, check the write permissions of

106

/var/spool/mail, or check that every Unix account already has a

107

mailbox, by using Wietse Venema's Perl script available in the official

108

advisory.

109

110

Resolution

111

==========

112

113

All Postfix users should upgrade to the latest version:

114

115

    # emerge --sync

116

    # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1"

117

118

References

119

==========

120

121

  [ 1 ] CVE-2008-2936

122

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936

123

  [ 2 ] CVE-2008-2937

124

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937

125

  [ 3 ] Official Advisory

126

        http://article.gmane.org/gmane.mail.postfix.announce/110

127

128

Availability

129

============

130

131

This GLSA and any updates to it are available for viewing at

132

the Gentoo Security Website:

133

134

  http://security.gentoo.org/glsa/glsa-200808-12.xml

135

136

Concerns?

137

=========

138

139

Security is a primary focus of Gentoo Linux and ensuring the

140

confidentiality and security of our users machines is of utmost

141

importance to us. Any security concerns should be addressed to

142

security@g.o or alternatively, you may file a bug at

143

http://bugs.gentoo.org.

144

145

License

146

=======

147

148

Copyright 2008 Gentoo Foundation, Inc; referenced text

149

belongs to its owner(s).

150

151

The contents of this document are licensed under the

152

Creative Commons - Attribution / Share Alike license.

153

154

http://creativecommons.org/licenses/by-sa/2.5

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200808-12
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Postfix: Local privilege escalation vulnerability
9	Date: August 14, 2008
10	Bugs: #232642
11	ID: 200808-12
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Postfix incorrectly checks the ownership of a mailbox, allowing, in
19	certain circumstances, to append data to arbitrary files on a local
20	system with root privileges.
21
22	Background
23	==========
24
25	Postfix is Wietse Venema's mailer that attempts to be fast, easy to
26	administer, and secure, as an alternative to the widely-used Sendmail
27	program.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 mail-mta/postfix < 2.5.3-r1 *>= 2.4.7-r1
36	>= 2.5.3-r1
37
38	Description
39	===========
40
41	Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail
42	to root-owned symlinks in an insecure manner under certain conditions.
43	Normally, Postfix does not deliver mail to symlinks, except to
44	root-owned symlinks, for compatibility with the systems using symlinks
45	in /dev like Solaris. Furthermore, some systems like Linux allow to
46	hardlink a symlink, while the POSIX.1-2001 standard requires that the
47	symlink is followed. Depending on the write permissions and the
48	delivery agent being used, this can lead to an arbitrary local file
49	overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix
50	delivery agent does not properly verify the ownership of a mailbox
51	before delivering mail (CVE-2008-2937).
52
53	Impact
54	======
55
56	The combination of these features allows a local attacker to hardlink a
57	root-owned symlink such that the newly created symlink would be
58	root-owned and would point to a regular file (or another symlink) that
59	would be written by the Postfix built-in local(8) or virtual(8)
60	delivery agents, regardless the ownership of the final destination
61	regular file. Depending on the write permissions of the spool mail
62	directory, the delivery style, and the existence of a root mailbox,
63	this could allow a local attacker to append a mail to an arbitrary file
64	like /etc/passwd in order to gain root privileges.
65
66	The default configuration of Gentoo Linux does not permit any kind of
67	user privilege escalation.
68
69	The second vulnerability (CVE-2008-2937) allows a local attacker,
70	already having write permissions to the mail spool directory which is
71	not the case on Gentoo by default, to create a previously nonexistent
72	mailbox before Postfix creates it, allowing to read the mail of another
73	user on the system.
74
75	Workaround
76	==========
77
78	The following conditions should be met in order to be vulnerable to
79	local privilege escalation.
80
81	* The mail delivery style is mailbox, with the Postfix built-in
82	local(8) or virtual(8) delivery agents.
83
84	* The mail spool directory (/var/spool/mail) is user-writeable.
85
86	* The user can create hardlinks pointing to root-owned symlinks
87	located in other directories.
88
89	Consequently, each one of the following workarounds is efficient.
90
91	* Verify that your /var/spool/mail directory is not writeable by a
92	user. Normally on Gentoo, only the mail group has write access, and
93	no end-user should be granted the mail group ownership.
94
95	* Prevent the local users from being able to create hardlinks
96	pointing outside of the /var/spool/mail directory, e.g. with a
97	dedicated partition.
98
99	* Use a non-builtin Postfix delivery agent, like procmail or
100	maildrop.
101
102	* Use the maildir delivery style of Postfix ("home_mailbox=Maildir/"
103	for example).
104
105	Concerning the second vulnerability, check the write permissions of
106	/var/spool/mail, or check that every Unix account already has a
107	mailbox, by using Wietse Venema's Perl script available in the official
108	advisory.
109
110	Resolution
111	==========
112
113	All Postfix users should upgrade to the latest version:
114
115	# emerge --sync
116	# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1"
117
118	References
119	==========
120
121	[ 1 ] CVE-2008-2936
122	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936
123	[ 2 ] CVE-2008-2937
124	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937
125	[ 3 ] Official Advisory
126	http://article.gmane.org/gmane.mail.postfix.announce/110
127
128	Availability
129	============
130
131	This GLSA and any updates to it are available for viewing at
132	the Gentoo Security Website:
133
134	http://security.gentoo.org/glsa/glsa-200808-12.xml
135
136	Concerns?
137	=========
138
139	Security is a primary focus of Gentoo Linux and ensuring the
140	confidentiality and security of our users machines is of utmost
141	importance to us. Any security concerns should be addressed to
142	security@g.o or alternatively, you may file a bug at
143	http://bugs.gentoo.org.
144
145	License
146	=======
147
148	Copyright 2008 Gentoo Foundation, Inc; referenced text
149	belongs to its owner(s).
150
151	The contents of this document are licensed under the
152	Creative Commons - Attribution / Share Alike license.
153
154	http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce