GLSA-200808-12 : Postfix: Local privilege escalation vulnerability

This script is Copyright (C) 2008-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200808-12
(Postfix: Local privilege escalation vulnerability)

Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail
to root-owned symlinks in an insecure manner under certain conditions.
Normally, Postfix does not deliver mail to symlinks, except to
root-owned symlinks, for compatibility with the systems using symlinks
in /dev like Solaris. Furthermore, some systems like Linux allow to
hardlink a symlink, while the POSIX.1-2001 standard requires that the
symlink is followed. Depending on the write permissions and the
delivery agent being used, this can lead to an arbitrary local file
overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix
delivery agent does not properly verify the ownership of a mailbox
before delivering mail (CVE-2008-2937).

Impact :

The combination of these features allows a local attacker to hardlink a
root-owned symlink such that the newly created symlink would be
root-owned and would point to a regular file (or another symlink) that
would be written by the Postfix built-in local(8) or virtual(8)
delivery agents, regardless the ownership of the final destination
regular file. Depending on the write permissions of the spool mail
directory, the delivery style, and the existence of a root mailbox,
this could allow a local attacker to append a mail to an arbitrary file
like /etc/passwd in order to gain root privileges.
The default configuration of Gentoo Linux does not permit any kind of
user privilege escalation.
The second vulnerability (CVE-2008-2937) allows a local attacker,
already having write permissions to the mail spool directory which is
not the case on Gentoo by default, to create a previously nonexistent
mailbox before Postfix creates it, allowing to read the mail of another
user on the system.

Workaround :

The following conditions should be met in order to be vulnerable to
local privilege escalation.
The mail delivery style is mailbox, with the Postfix built-in
local(8) or virtual(8) delivery agents.
The mail spool directory (/var/spool/mail) is user-writeable.
The user can create hardlinks pointing to root-owned symlinks
located in other directories.
Consequently, each one of the following workarounds is efficient.
Verify that your /var/spool/mail directory is not writeable by a
user. Normally on Gentoo, only the mail group has write access, and no
end-user should be granted the mail group ownership.
Prevent the local users from being able to create hardlinks
pointing outside of the /var/spool/mail directory, e.g. with a
dedicated partition.
Use a non-builtin Postfix delivery agent, like procmail or
maildrop.
Use the maildir delivery style of Postfix ('home_mailbox=Maildir/'
for example).
Concerning the second vulnerability, check the write permissions of
/var/spool/mail, or check that every Unix account already has a
mailbox, by using Wietse Venema's Perl script available in the official
advisory.

See also :

http://article.gmane.org/gmane.mail.postfix.announce/110
http://www.gentoo.org/security/en/glsa/glsa-200808-12.xml

Solution :

All Postfix users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=mail-mta/postfix-2.5.3-r1'

Risk factor :

Medium / CVSS Base Score : 6.2
(CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 33891 (gentoo_GLSA-200808-12.nasl)

Bugtraq ID:

CVE ID: CVE-2008-2936
CVE-2008-2937