Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.

From Red Hat Security Advisory 2008:0839 :

Updated postfix packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS.

A flaw was found in the way Postfix dereferences symbolic links. If a local user has write access to a mail spool directory with no root mailbox, it may be possible for them to append arbitrary data to files that root has write permission to. (CVE-2008-2936)

Red Hat would like to thank Sebastian Krahmer for responsibly disclosing this issue.

All users of postfix should upgrade to these updated packages, which contain a backported patch that resolves this issue.

A flaw was found in the way Postfix dereferences symbolic links. If a local user has write access to a mail spool directory with no root mailbox, it may be possible for them to append arbitrary data to files that root has write permission to. (CVE-2008-2936)

A (local) privilege escalation vulnerability as well as a mailbox ownership problem has been fixed in postfix. CVE-2008-2936 and CVE-2008-2937 have been assigned to this problem.

Sebastian Krahmer of the SUSE Security Team discovered a flaw in the way Postfix dereferenced symbolic links. If a local user had write access to a mail spool directory without a root mailbox file, it could be possible for them to append arbitrary data to files that root had write permissions to (CVE-2008-2936).

The updated packages have been patched to correct this issue.

New upstream patch level version 2.5.5, including multiple security fixes detailed in upstream announcements:
http://www.postfix.org/announcements/20080814.html http://www.postfix.org/announcements/20080902.html

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Sebastian Krahmer discovered that Postfix was not correctly handling mailbox ownership when dealing with Linux's implementation of hardlinking to symlinks. In certain mail spool configurations, a local attacker could exploit this to append data to arbitrary files as the root user. The default Ubuntu configuration was not vulnerable.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root.

Note that only specific configurations are vulnerable; the default Debian installation is not affected. Only a configuration meeting the following requirements is vulnerable :

  - The mail delivery style is mailbox, with the Postfix     built-in local(8) or virtual(8) delivery agents.
  - The mail spool directory (/var/spool/mail) is     user-writeable.

  - The user can create hardlinks pointing to root-owned     symlinks located in other directories.

For a detailed treating of the issue, please refer to the upstream author's announcement.

Updated postfix packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS.

A flaw was found in the way Postfix dereferences symbolic links. If a local user has write access to a mail spool directory with no root mailbox, it may be possible for them to append arbitrary data to files that root has write permission to. (CVE-2008-2936)

Red Hat would like to thank Sebastian Krahmer for responsibly disclosing this issue.

All users of postfix should upgrade to these updated packages, which contain a backported patch that resolves this issue.

The remote host is affected by the vulnerability described in GLSA-200808-12 (Postfix: Local privilege escalation vulnerability)

    Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail     to root-owned symlinks in an insecure manner under certain conditions.
    Normally, Postfix does not deliver mail to symlinks, except to     root-owned symlinks, for compatibility with the systems using symlinks     in /dev like Solaris. Furthermore, some systems like Linux allow to     hardlink a symlink, while the POSIX.1-2001 standard requires that the     symlink is followed. Depending on the write permissions and the     delivery agent being used, this can lead to an arbitrary local file     overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix     delivery agent does not properly verify the ownership of a mailbox     before delivering mail (CVE-2008-2937).
  Impact :

    The combination of these features allows a local attacker to hardlink a     root-owned symlink such that the newly created symlink would be     root-owned and would point to a regular file (or another symlink) that     would be written by the Postfix built-in local(8) or virtual(8)     delivery agents, regardless the ownership of the final destination     regular file. Depending on the write permissions of the spool mail     directory, the delivery style, and the existence of a root mailbox,     this could allow a local attacker to append a mail to an arbitrary file     like /etc/passwd in order to gain root privileges.
    The default configuration of Gentoo Linux does not permit any kind of     user privilege escalation.
    The second vulnerability (CVE-2008-2937) allows a local attacker,     already having write permissions to the mail spool directory which is     not the case on Gentoo by default, to create a previously nonexistent     mailbox before Postfix creates it, allowing to read the mail of another     user on the system.
  Workaround :

    The following conditions should be met in order to be vulnerable to     local privilege escalation.
    The mail delivery style is mailbox, with the Postfix built-in     local(8) or virtual(8) delivery agents.
    The mail spool directory (/var/spool/mail) is user-writeable.
    The user can create hardlinks pointing to root-owned symlinks     located in other directories.
    Consequently, each one of the following workarounds is efficient.
    Verify that your /var/spool/mail directory is not writeable by a     user. Normally on Gentoo, only the mail group has write access, and no     end-user should be granted the mail group ownership.
    Prevent the local users from being able to create hardlinks     pointing outside of the /var/spool/mail directory, e.g. with a     dedicated partition.
    Use a non-builtin Postfix delivery agent, like procmail or     maildrop.
    Use the maildir delivery style of Postfix ('home_mailbox=Maildir/'     for example).
    Concerning the second vulnerability, check the write permissions of     /var/spool/mail, or check that every Unix account already has a     mailbox, by using Wietse Venema's Perl script available in the official     advisory.

A (local) privilege escalation vulnerability as well as a mailbox ownership problem has been fixed in postfix. CVE-2008-2936 / CVE-2008-2937 have been assigned to this problem.

ID	Name	Product	Family	Severity
67738	Oracle Linux 3 / 4 / 5 : postfix (ELSA-2008-0839)	Nessus	Oracle Linux Local Security Checks	medium
60464	Scientific Linux Security Update : postfix on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
41231	SuSE9 Security Update : Postfix (YOU Patch Number 12219)	Nessus	SuSE Local Security Checks	medium
40111	openSUSE Security Update : postfix (postfix-133)	Nessus	SuSE Local Security Checks	medium
37883	Mandriva Linux Security Advisory : postfix (MDVSA-2008:171)	Nessus	Mandriva Local Security Checks	medium
34377	Fedora 8 : postfix-2.5.5-1.fc8 (2008-8595)	Nessus	Fedora Local Security Checks	medium
34376	Fedora 9 : postfix-2.5.5-1.fc9 (2008-8593)	Nessus	Fedora Local Security Checks	medium
33941	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : postfix vulnerability (USN-636-1)	Nessus	Ubuntu Local Security Checks	medium
33934	Debian DSA-1629-2 : postfix - programming error	Nessus	Debian Local Security Checks	medium
33897	openSUSE 10 Security Update : postfix (postfix-5501)	Nessus	SuSE Local Security Checks	medium
33893	RHEL 3 / 4 / 5 : postfix (RHSA-2008:0839)	Nessus	Red Hat Local Security Checks	medium
33891	GLSA-200808-12 : Postfix: Local privilege escalation vulnerability	Nessus	Gentoo Local Security Checks	medium
33890	CentOS 3 / 4 / 5 : postfix (CESA-2008:0839)	Nessus	CentOS Local Security Checks	medium
33888	SuSE 10 Security Update : Postfix (ZYPP Patch Number 5500)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2008-2936

high

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium