LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-29-2011, 02:46 PM   #1
trist007
Member
 
Registered: May 2008
Distribution: Slackware
Posts: 983

Rep: Reputation: 56
postfix local privilege escalation...


I got a question about this vulnerability. I don't quite understand it. I got the article from
http://www.postfix.org/announcements/20080814.html

Anyhow my configuration is affected because of the way hard links are created. I ran the following script.
Code:
PATH=/bin:/usr/bin:$PATH
mkdir test
cd test
touch src
ln -s src dst1
ln dst1 dst2
ls -l
and my system created two symlinks.
Code:
lrwxrwxrwx  2 user users 3 Mmm dd hh:mm dst1 -> src
lrwxrwxrwx  2 user users 3 Mmm dd hh:mm dst2 -> src
-rw-r--r--  1 user users 0 Mmm dd hh:mm src
So according to the article "an attacker can hardlink a root-owned symlink to for example /var/mail, and cause Postfix to append mail to existing files that are owned by root or non-root accounts."

Can somebody give an example of this? As a non-root user I can create a hardlink named "link" to "/var/mail" but "/var/mail" is only a directory so things like
Code:
echo test123 > link
have no effect on "/var/mail."
How would an attacker literally create a link to "/var/mail" an append mail to a root or non-root file?
I'd like to understand this.
 
Old 03-29-2011, 07:04 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
Root can link and slink any file anyway so if a file has excessive access rights (say octal 0777) or if a process is allowed to write to a file then it's game over anyway, right? So in a malicious scenario root unexpectedly linking files is collateral damage: the interesting part is how root got to perform the op.
 
Old 03-29-2011, 09:35 PM   #3
trist007
Member
 
Registered: May 2008
Distribution: Slackware
Posts: 983

Original Poster
Rep: Reputation: 56
Could you give me an example? In this case /var/mail is a directory instead of a file. Plus /var/mail doesn't have 777 permissions. Therefore, how would this be a privilege escalation vulnerability.
 
Old 03-30-2011, 04:58 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I think part of the problem is, or rather probably was, that the mail delivery directory has group write permissions so that Postfix can access the directory to put mail there. For example, my maildir is owned by vmail.mail and has owner and group write permissions. The privilege escalation comes into play in that a Postfix uses a symbolic link and a hard link to the symbolic link gets elevated permissions. In the example, you created a file and a symbolic link to it. You then created a hard link to the symbolic link, which goes directly to the source file. Apparently this allows write access to the src file via the group permissions of Postfix.

Anyway, I say was a problem because most distributions would have applied the patch to the source code by now. In response to this thread, I even downloaded the Postfix source for my distribution and checked for the applied patch. The patch works by placing further restrictions on the ownership of links (must be root only).
 
Old 03-30-2011, 02:55 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
Quote:
Originally Posted by trist007 View Post
In this case /var/mail is a directory instead of a file.
It's about exploiting hard and softlinks to files inside the mail spool directory.


Quote:
Originally Posted by trist007 View Post
Plus /var/mail doesn't have 777 permissions.
Postfix is not affected or exploitable this way when
0) using maildir-style delivery or when
1) using a non-Postfix LDA or when
2) no group (g) or other (o) write permissions exist on the mail spool directory or when
3) when the application to hardlink to for the exploit and the mail spool file to use as target in the attack are on separate partitions.
Note posting an example of the exploit would be against the LQ Rules but is trivial to find yourself.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Privilege Escalation - Getting 'root' privilege Rahil Parikh Linux - Security 2 12-02-2010 01:04 AM
LXer: This week at LWN: A privilege escalation flaw in udev LXer Syndicated Linux News 0 05-05-2009 08:31 PM
Intel CPU Privilege Escalation Exploit H_TeXMeX_H Linux - Security 4 04-22-2009 03:57 PM
Linux Privilege Escalation The.Hammer.911 Linux - Security 1 05-10-2007 06:07 PM
LXer: Postgresql Privilege Escalation and Denial of Service ... LXer Syndicated Linux News 0 02-16-2006 02:01 AM


All times are GMT -5. The time now is 10:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration