1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200808-12 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: High |
8 |
Title: Postfix: Local privilege escalation vulnerability |
9 |
Date: August 14, 2008 |
10 |
Bugs: #232642 |
11 |
ID: 200808-12 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
Postfix incorrectly checks the ownership of a mailbox, allowing, in |
19 |
certain circumstances, to append data to arbitrary files on a local |
20 |
system with root privileges. |
21 |
|
22 |
Background |
23 |
========== |
24 |
|
25 |
Postfix is Wietse Venema's mailer that attempts to be fast, easy to |
26 |
administer, and secure, as an alternative to the widely-used Sendmail |
27 |
program. |
28 |
|
29 |
Affected packages |
30 |
================= |
31 |
|
32 |
------------------------------------------------------------------- |
33 |
Package / Vulnerable / Unaffected |
34 |
------------------------------------------------------------------- |
35 |
1 mail-mta/postfix < 2.5.3-r1 *>= 2.4.7-r1 |
36 |
>= 2.5.3-r1 |
37 |
|
38 |
Description |
39 |
=========== |
40 |
|
41 |
Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail |
42 |
to root-owned symlinks in an insecure manner under certain conditions. |
43 |
Normally, Postfix does not deliver mail to symlinks, except to |
44 |
root-owned symlinks, for compatibility with the systems using symlinks |
45 |
in /dev like Solaris. Furthermore, some systems like Linux allow to |
46 |
hardlink a symlink, while the POSIX.1-2001 standard requires that the |
47 |
symlink is followed. Depending on the write permissions and the |
48 |
delivery agent being used, this can lead to an arbitrary local file |
49 |
overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix |
50 |
delivery agent does not properly verify the ownership of a mailbox |
51 |
before delivering mail (CVE-2008-2937). |
52 |
|
53 |
Impact |
54 |
====== |
55 |
|
56 |
The combination of these features allows a local attacker to hardlink a |
57 |
root-owned symlink such that the newly created symlink would be |
58 |
root-owned and would point to a regular file (or another symlink) that |
59 |
would be written by the Postfix built-in local(8) or virtual(8) |
60 |
delivery agents, regardless the ownership of the final destination |
61 |
regular file. Depending on the write permissions of the spool mail |
62 |
directory, the delivery style, and the existence of a root mailbox, |
63 |
this could allow a local attacker to append a mail to an arbitrary file |
64 |
like /etc/passwd in order to gain root privileges. |
65 |
|
66 |
The default configuration of Gentoo Linux does not permit any kind of |
67 |
user privilege escalation. |
68 |
|
69 |
The second vulnerability (CVE-2008-2937) allows a local attacker, |
70 |
already having write permissions to the mail spool directory which is |
71 |
not the case on Gentoo by default, to create a previously nonexistent |
72 |
mailbox before Postfix creates it, allowing to read the mail of another |
73 |
user on the system. |
74 |
|
75 |
Workaround |
76 |
========== |
77 |
|
78 |
The following conditions should be met in order to be vulnerable to |
79 |
local privilege escalation. |
80 |
|
81 |
* The mail delivery style is mailbox, with the Postfix built-in |
82 |
local(8) or virtual(8) delivery agents. |
83 |
|
84 |
* The mail spool directory (/var/spool/mail) is user-writeable. |
85 |
|
86 |
* The user can create hardlinks pointing to root-owned symlinks |
87 |
located in other directories. |
88 |
|
89 |
Consequently, each one of the following workarounds is efficient. |
90 |
|
91 |
* Verify that your /var/spool/mail directory is not writeable by a |
92 |
user. Normally on Gentoo, only the mail group has write access, and |
93 |
no end-user should be granted the mail group ownership. |
94 |
|
95 |
* Prevent the local users from being able to create hardlinks |
96 |
pointing outside of the /var/spool/mail directory, e.g. with a |
97 |
dedicated partition. |
98 |
|
99 |
* Use a non-builtin Postfix delivery agent, like procmail or |
100 |
maildrop. |
101 |
|
102 |
* Use the maildir delivery style of Postfix ("home_mailbox=Maildir/" |
103 |
for example). |
104 |
|
105 |
Concerning the second vulnerability, check the write permissions of |
106 |
/var/spool/mail, or check that every Unix account already has a |
107 |
mailbox, by using Wietse Venema's Perl script available in the official |
108 |
advisory. |
109 |
|
110 |
Resolution |
111 |
========== |
112 |
|
113 |
All Postfix users should upgrade to the latest version: |
114 |
|
115 |
# emerge --sync |
116 |
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1" |
117 |
|
118 |
References |
119 |
========== |
120 |
|
121 |
[ 1 ] CVE-2008-2936 |
122 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936 |
123 |
[ 2 ] CVE-2008-2937 |
124 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937 |
125 |
[ 3 ] Official Advisory |
126 |
http://article.gmane.org/gmane.mail.postfix.announce/110 |
127 |
|
128 |
Availability |
129 |
============ |
130 |
|
131 |
This GLSA and any updates to it are available for viewing at |
132 |
the Gentoo Security Website: |
133 |
|
134 |
http://security.gentoo.org/glsa/glsa-200808-12.xml |
135 |
|
136 |
Concerns? |
137 |
========= |
138 |
|
139 |
Security is a primary focus of Gentoo Linux and ensuring the |
140 |
confidentiality and security of our users machines is of utmost |
141 |
importance to us. Any security concerns should be addressed to |
142 |
security@g.o or alternatively, you may file a bug at |
143 |
http://bugs.gentoo.org. |
144 |
|
145 |
License |
146 |
======= |
147 |
|
148 |
Copyright 2008 Gentoo Foundation, Inc; referenced text |
149 |
belongs to its owner(s). |
150 |
|
151 |
The contents of this document are licensed under the |
152 |
Creative Commons - Attribution / Share Alike license. |
153 |
|
154 |
http://creativecommons.org/licenses/by-sa/2.5 |