[gentoo-announce] [ GLSA 200808-12 ] Postfix: Local privilege escalation vulnerability

[news 28]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 200808-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

http://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: High

Title: Postfix: Local privilege escalation vulnerability

Date: August 14, 2008

Bugs: #232642

ID: 200808-12

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

Postfix incorrectly checks the ownership of a mailbox, allowing, in

certain circumstances, to append data to arbitrary files on a local

system with root privileges.

 

Background

==========

 

Postfix is Wietse Venema's mailer that attempts to be fast, easy to

administer, and secure, as an alternative to the widely-used Sendmail

program.

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 mail-mta/postfix < 2.5.3-r1 *>= 2.4.7-r1

>= 2.5.3-r1

 

Description

===========

 

Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail

to root-owned symlinks in an insecure manner under certain conditions.

Normally, Postfix does not deliver mail to symlinks, except to

root-owned symlinks, for compatibility with the systems using symlinks

in /dev like Solaris. Furthermore, some systems like Linux allow to

hardlink a symlink, while the POSIX.1-2001 standard requires that the

symlink is followed. Depending on the write permissions and the

delivery agent being used, this can lead to an arbitrary local file

overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix

delivery agent does not properly verify the ownership of a mailbox

before delivering mail (CVE-2008-2937).

 

Impact

======

 

The combination of these features allows a local attacker to hardlink a

root-owned symlink such that the newly created symlink would be

root-owned and would point to a regular file (or another symlink) that

would be written by the Postfix built-in local(8) or virtual(8)

delivery agents, regardless the ownership of the final destination

regular file. Depending on the write permissions of the spool mail

directory, the delivery style, and the existence of a root mailbox,

this could allow a local attacker to append a mail to an arbitrary file

like /etc/passwd in order to gain root privileges.

 

The default configuration of Gentoo Linux does not permit any kind of

user privilege escalation.

 

The second vulnerability (CVE-2008-2937) allows a local attacker,

already having write permissions to the mail spool directory which is

not the case on Gentoo by default, to create a previously nonexistent

mailbox before Postfix creates it, allowing to read the mail of another

user on the system.

 

Workaround

==========

 

The following conditions should be met in order to be vulnerable to

local privilege escalation.

 

* The mail delivery style is mailbox, with the Postfix built-in

local(8) or virtual(8) delivery agents.

 

* The mail spool directory (/var/spool/mail) is user-writeable.

 

* The user can create hardlinks pointing to root-owned symlinks

located in other directories.

 

Consequently, each one of the following workarounds is efficient.

 

* Verify that your /var/spool/mail directory is not writeable by a

user. Normally on Gentoo, only the mail group has write access, and

no end-user should be granted the mail group ownership.

 

* Prevent the local users from being able to create hardlinks

pointing outside of the /var/spool/mail directory, e.g. with a

dedicated partition.

 

* Use a non-builtin Postfix delivery agent, like procmail or

maildrop.

 

* Use the maildir delivery style of Postfix ("home_mailbox=Maildir/"

for example).

 

Concerning the second vulnerability, check the write permissions of

/var/spool/mail, or check that every Unix account already has a

mailbox, by using Wietse Venema's Perl script available in the official

advisory.

 

Resolution

==========

 

All Postfix users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1"

 

References

==========

 

[ 1 ] CVE-2008-2936

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936

[ 2 ] CVE-2008-2937

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937

[ 3 ] Official Advisory

http://article.gmane.org/gmane.mail.postfix.announce/110

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

http://security.gentoo.org/glsa/glsa-200808-12.xml

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users machines is of utmost

importance to us. Any security concerns should be addressed to

security ( -at -) gentoo.org or alternatively, you may file a bug at

http://bugs.gentoo.org.

 

License

=======

 

Copyright 2008 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5