|
Postfix Symlink Handling and Destination Ownership Security Issues
|
|
Secunia Advisory:
|
SA31485
|
|
|
Release Date:
|
2008-08-14
|
|
Last Update:
|
2008-08-19
|
|
Popularity:
|
4,505 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Exposure of sensitive information
Privilege escalation
|
|
Where:
|
Local system
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Postfix 2.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2008-2936
CVE-2008-2937
|
|
Description:
Sebastian Krahmer has reported some security issues in Postfix, which can be exploited by malicious, local users to disclose potentially sensitive information and perform certain actions with escalated privileges.
1) A security issue is caused due to Postfix incorrectly handling symlink files. This can be exploited to e.g. append mail messages to arbitrary files by creating a hardlink to a symlink owned by the root user.
Successful exploitation requires write permission to the mail spool directory, that there is no "root" mailbox, and users can create a hardlink to a symlink (e.g. Linux 2.x, Solaris, Irix 6.5).
2) A security issue is caused due to Postfix not correctly checking the ownership of the destination when delivering email. This can be exploited to e.g. disclose emails by creating an insecure mailbox file for other users.
Successful exploitation requires permission to create files within the mail spool directory.
Solution:
Update to version 2.5.4 Patchlevel 4.
Provided and/or discovered by:
Sebastian Krahmer, SuSE
Changelog:
2008-08-15: Added additional information provided by the vendor. Added link to Postfix advisory.
2008-08-19: Added link to US-CERT.
Original Advisory:
SuSE:
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html
Postfix:
http://de.postfix.org/ftpmirror/official/postfix-2.5.4.HISTORY
http://article.gmane.org/gmane.mail.postfix.announce/110
Other References:
US-CERT VU#938323:
http://www.kb.cert.org/vuls/id/938323
Extended Solution:
The "Extended Solution" section is available for Secunia customers only. Request a trial and get access to the Secunia Customer Area and Extended Secunia advisories.
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
