root/owned
Description
===========
Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail
to root-owned symlinks in an insecure manner under certain conditions.
Normally, Postfix does not deliver mail to symlinks, except to
root-owned symlinks, for compatibility with the systems using symlinks
in /dev like Solaris. Furthermore, some systems like Linux allow to
hardlink a symlink, while the POSIX.1-2001 standard requires that the
symlink is followed. Depending on the write permissions and the
Wietse
1. Postfix local privilege escalation via hardlinked symlinks
=============================================================
Sebastian Krahmer of SuSE has found a privilege escalation problem.
On some systems an attacker can hardlink a root-owned symlink to
for example /var/mail, and cause Postfix to append mail to existing
files that are owned by root or non-root accounts. This can happen
on operating systems with specific non-standard behavior.
Symlinks (symbolic links) implement aliasing for UNIX pathnames.
total 8
drwx------ 2 root root 2 Dec 8 23:00 .
drwxr-xr-x 4 fstuart sysadmin 47 Dec 8 21:47 ..
### Verify my unprivileged, simulated malware is in place. It will
### write a root-owned file in the /var/tmp/fcs/outdir if executed
### by root.
Don't Panic! # ls -dl /var/tmp/fcs/testdir/vncserver
- -rwxr-xr-x 1 nobody nobody 174 Dec 8 23:28
/var/tmp/fcs/testdir/vncserver
The mount.vmhgfs utility checks that the user-provided mountpoint is owned by
the user attempting to mount an HGFS share prior to performing the mount.
However, a race condition exists between the time this checking is performed
and when the mount is performed. Successful exploitation allows a local
attacker to mount HGFS shares over arbitrary, potentially root-owned
directories, subsequently allowing privilege escalation within the guest.
CVE-2011-2145:
The vmware-user-suid-wrapper utility attempts to create a directory at
handling, exploitable by a local user.
CVE-2007-6206
Blake Frantz discovered that when a core file owned by a non-root user
exists, and a root-owned process dumps core over it, the core file
retains its original ownership. This could be used by a local user to
gain access to sensitive information.
CVE-2007-6417
ioctls with unterminated data.
CVE-2007-6206
Blake Frantz discovered that when a core file owned by a non-root user
exists, and a root-owned process dumps core over it, the core file
retains its original ownership. This could be used by a local user to
gain access to sensitive information.
CVE-2007-6694
III. ANALYSIS
Exploitation allows local attackers to gain root privileges.
In at least one case, the attacker's umask will be honored when creating
files. In this case, the attacker could create world-writable root-owned
files anywhere on the system. By targeting specific system files, such
as /etc/ld.so.preload or various cron data file locations, an attacker
could execute arbitrary code with superuser privileges.
IV. DETECTION
The default Debian installation of Postfix is not affected. Only a
configuration meeting the following requirements is vulnerable:
* The mail delivery style is mailbox, with the Postfix built-in
local(8) or virtual(8) delivery agents.
* The mail spool directory is user-writeable.
* The user can create hardlinks pointing to root-owned symlinks
located in other directories.
For a detailed treating of this issue, please refer to the upstream
author's announcement:
http://article.gmane.org/gmane.mail.postfix.announce/110
ioctls with unterminated data.
CVE-2007-6206
Blake Frantz discovered that when a core file owned by a non-root user
exists, and a root-owned process dumps core over it, the core file
retains its original ownership. This could be used by a local user to
gain access to sensitive information.
CVE-2007-6694
Debian installation is not affected. Only a configuration meeting
the following requirements is vulnerable:
* The mail delivery style is mailbox, with the Postfix built-in
local(8) or virtual(8) delivery agents.
* The mail spool directory (/var/spool/mail) is user-writeable.
* The user can create hardlinks pointing to root-owned symlinks
located in other directories.
For a detailed treating of the issue, please refer to the upstream
author's announcement:
http://article.gmane.org/gmane.mail.postfix.announce/110
ioctls with unterminated data.
CVE-2007-6206
Blake Frantz discovered that when a core file owned by a non-root user
exists, and a root-owned process dumps core over it, the core file
retains its original ownership. This could be used by a local user to
gain access to sensitive information.
CVE-2007-6694
|
