Postfix mail server hardlinks privilege escalation updated since 14.08.2008
Published:		02.09.2008
Source:		BUGTRAQ
SecurityVulns ID:		9222
Type:		local
Level:		4/10
Description:		It's possible to cause Postfix to deliver mail to system file by using hardlinks to symlink (available against standard in Linux, IRIX, Solaris).

Affected:		POSTFIX : Postfix 2.3
		POSTFIX : Postfix 2.4
		POSTFIX : postfix 2.5
		POSTFIX : postfix 2.6
CVE:		CVE-2008-2937 (Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name.)
		CVE-2008-2936 (Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.)

Original document		Roman Medina, PoCfix (PoC for Postfix local root vuln - CVE-2008-2936) (02.09.2008)
		Wietse Venema, Postfix local privilege escalation via hardlinked symlinks (14.08.2008)

Files:		PoC for Postfix local root vuln - CVE-2008-2936
Discuss:		Read or add your comments to this news (0 comments)