安全研究

安全漏洞
Postfix本地信息泄露和权限提升漏洞

发布日期:2008-08-14
更新日期:2008-08-19

受影响系统:
Wietse Venema Postfix 2.6
Wietse Venema Postfix 2.5
Wietse Venema Postfix 2.4
Wietse Venema Postfix 2.3
不受影响系统:
Wietse Venema Postfix 2.5.4 Patchlevel 4
描述:
BUGTRAQ  ID: 30691
CVE(CAN) ID: CVE-2008-2936,CVE-2008-2937

Postfix是Unix类操作系统中所使用的邮件传输代理。

Postfix中的多个安全漏洞允许恶意的本地攻击者泄露敏感信息或以提升的权限执行某些操作。

1) Postfix没有正确地处理符号链接文件,本地用户可以通过创建到属于root用户符号链接的硬链接导致向任意文件附加邮件消息。成功利用这个漏洞要求用户拥有邮件spool目录的写权限。

2) Postfix在传输邮件时没有正确地检查目的地的所有权,如果为其他用户创建了不安全的邮箱文件的话,就可能导致泄露邮件。成功利用这个漏洞要求拥有在邮件spool目录中创建文件的权限。

<*来源:Sebastian Krahmer (krahmer@suse.de
  
  链接:http://secunia.com/advisories/31485/
        http://article.gmane.org/gmane.mail.postfix.announce/110
        http://www.debian.org/security/2008/dsa-1629
        http://security.gentoo.org/glsa/glsa-200808-12.xml
        https://www.redhat.com/support/errata/RHSA-2008-0839.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

http://www.rs-labs.com/exploitsntools/rs_pocfix.sh

建议:
厂商补丁:

Debian
------
Debian已经为此发布了一个安全公告(DSA-1629-1)以及相应补丁:
DSA-1629-1:New postfix packages fix privilege escalation
链接:http://www.debian.org/security/2008/dsa-1629

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz
Size/MD5 checksum:  2787761 a6c560657788fc7a5444fa9ea32f5513
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1.diff.gz
Size/MD5 checksum:   177462 0827e61a7033e8625d92123c84b32782
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1.dsc
Size/MD5 checksum:      907 8e9f0c462c57eb2be521714404474aca

Architecture independent packages:

http://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2etch1_all.deb
Size/MD5 checksum:   130818 5038e376db1c661eb0284f96dff4761a
http://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2etch1_all.deb
Size/MD5 checksum:   785408 5db9bdc0300637afd3d508afe2c261dc

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_alpha.deb
Size/MD5 checksum:  1188364 c8c7f45763ccfd74b84335ea073c551c
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_alpha.deb
Size/MD5 checksum:    36556 fcb1c6262baed1402032c2105b83d059
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_alpha.deb
Size/MD5 checksum:    38746 a0d1334395beda433d586b63b0d60b80
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_alpha.deb
Size/MD5 checksum:    43408 d9e830efc4532ccddc46f394232959a6
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_alpha.deb
Size/MD5 checksum:    38596 855c8573280d5b191a12175b2e7afe8c
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_alpha.deb
Size/MD5 checksum:    38928 579217f55db12977c61b8d437f3ab436

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_amd64.deb
Size/MD5 checksum:    38318 24205dd0481bb1d78684167d8d20f44f
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_amd64.deb
Size/MD5 checksum:    38338 50a46f34f638ea42525b98ca985b4f11
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_amd64.deb
Size/MD5 checksum:    43268 a24dd35f2ec288c2c4f674099e44385f
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_amd64.deb
Size/MD5 checksum:  1148848 f27f053dffd95b730f1186ed37ed8673
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_amd64.deb
Size/MD5 checksum:    38460 907b2a8d84a54cdf31ade8c201d3780a
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_amd64.deb
Size/MD5 checksum:    36378 1ab120583bcc5873a5350d9786282eab

arm architecture (ARM)

http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_arm.deb
Size/MD5 checksum:    42742 2d6799c7726a3943a39939baebacdc98
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_arm.deb
Size/MD5 checksum:    38324 6acd31d6ce0200fdd49043c99459c4c8
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_arm.deb
Size/MD5 checksum:    38394 52628e6399391671a8512ed25739813c
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_arm.deb
Size/MD5 checksum:    38592 1db4a21bb2c6f135e342b65317ecb897
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_arm.deb
Size/MD5 checksum:  1080626 3e05804bf0bf7101ae3e4eec33d1524f
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_arm.deb
Size/MD5 checksum:    36378 71361b9cd3c008a9e96e8c23866b1a80

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_hppa.deb
Size/MD5 checksum:    37504 76b3b4785a5e91fc1010ce32ccee31ed
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_hppa.deb
Size/MD5 checksum:    45296 73bc72e54d6ef6909fd3df4266061d7b
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_hppa.deb
Size/MD5 checksum:    40138 807908ccb69444d9aa1917861dc51af9
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_hppa.deb
Size/MD5 checksum:  1174040 44260c5be83cd1d051de22c155aee72a
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_hppa.deb
Size/MD5 checksum:    39814 547026b4994dfbf216be7f9ee0487054
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_hppa.deb
Size/MD5 checksum:    39624 69209a3695bb1568f8c11e6ab4bb792d

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_i386.deb
Size/MD5 checksum:    36514 2c10b797c15b02828b344693d4f9c597
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_i386.deb
Size/MD5 checksum:    38680 d1beb196bcc090457a791760b5e7bdfd
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_i386.deb
Size/MD5 checksum:    38354 d074798f79b42bd245e13b8ce0f3adef
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_i386.deb
Size/MD5 checksum:    43160 40cc3fc2fc6374a07893321c2758a447
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_i386.deb
Size/MD5 checksum:    38770 d97f22246f4cb6cb48e4c993ad37daac
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_i386.deb
Size/MD5 checksum:  1092656 30352104ad6fad91f13b996483e52e5b

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_ia64.deb
Size/MD5 checksum:    37958 d3628d8f8d4fa6cc760ef77e21acb468
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_ia64.deb
Size/MD5 checksum:    40762 6c5dcb7f2d6196ddf23a8e6d7b9e5f10
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_ia64.deb
Size/MD5 checksum:    47878 bb8188e31d1a632164d1bb5dda88a810
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_ia64.deb
Size/MD5 checksum:  1439608 cfc2f5db48f0f6bcc8ddb3e85a4032d6
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_ia64.deb
Size/MD5 checksum:    40766 59cd143a5727868aaae30f309286a433
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_ia64.deb
Size/MD5 checksum:    41066 385bf68a76cd27e12e012bf535a841e0

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_mips.deb
Size/MD5 checksum:    38194 014b70898f5aae21a95877c4e32f9941
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_mips.deb
Size/MD5 checksum:    36186 7c957d531808b35bd6994aeea448e213
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_mips.deb
Size/MD5 checksum:    38188 29a16989a6414ed3722f1422f46d9cd2
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_mips.deb
Size/MD5 checksum:    38446 0dc8cfc6f527161b8b4ce16dd8b297c6
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_mips.deb
Size/MD5 checksum:  1129132 4e6a95c1f4040b7b24ac18ab80455d4d
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_mips.deb
Size/MD5 checksum:    42376 af1d25a56c756443db89f6aa6a7bbb38

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum:    37738 ee3c0924d5deb0d61741c9497156c0bf
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum:    44218 6ade57e38f9948016b71e6373f6f1863
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum:    39670 6a6597cfb2a225d05963a149386d8fcc
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum:    39774 3979adcff1c659588beb2e65c5ddb4d3
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum:  1167716 45d3590893a6b4c3efc99780508f92e1
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_powerpc.deb
Size/MD5 checksum:    39966 7acc51d59c4c640b8c4963c09c573356

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_s390.deb
Size/MD5 checksum:    38752 56864ace555741a8e580ac9cdad129c3
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_s390.deb
Size/MD5 checksum:  1154368 f62e41e9b4d18eaaf76d0096370ceb1f
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_s390.deb
Size/MD5 checksum:    36562 9deaaf037d9694a5a09f01743c687a52
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_s390.deb
Size/MD5 checksum:    38360 6191ba334c80aa5e4dd12df40781c96d
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_s390.deb
Size/MD5 checksum:    43310 9a73eaee5cfd0b3656976a36c256e676
http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_s390.deb
Size/MD5 checksum:    38918 570c0d157fd6b6b4102122a965d3e6f6

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_sparc.deb
Size/MD5 checksum:    38198 6ca537558089e41ebbdea7c90f2e4fd4
http://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_sparc.deb
Size/MD5 checksum:    37906 746615a2cc165a0fcb5aff5be073e289
http://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_sparc.deb
Size/MD5 checksum:    38058 ac84629509e45bf424752e4852e175e1
http://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_sparc.deb
Size/MD5 checksum:    36106 55d00480a61daa52578d69081a4e93a6
http://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_sparc.deb
Size/MD5 checksum:  1080776 87ff76ea63ba069b769b3491fac51670
http://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_sparc.deb
Size/MD5 checksum:    42910 767373c92a53b62640e69b16749f1fcc

补丁安装方法:

1. 手工安装补丁包:

  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)

  然后,使用下面的命令来安装补丁:  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgrade

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2008:0839-01)以及相应补丁:
RHSA-2008:0839-01:Moderate: postfix security update
链接:https://www.redhat.com/support/errata/RHSA-2008-0839.html

Wietse Venema
-------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.tar.gz

Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200808-12)以及相应补丁:
GLSA-200808-12:Postfix: Local privilege escalation vulnerability
链接:http://security.gentoo.org/glsa/glsa-200808-12.xml

所有Postfix用户都应升级到最新版本:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1"

浏览次数:3584
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客