Package: maildrop
Version: 1.5.3-1.1
Severity: critical
Justification: local privilege escalation
Tags: security sarge sid patch
Hi Josip,
I've already tried to contact you about this, but have not heard
from you. I'm filing it now to keep track. Please refer to message
<[EMAIL PROTECTED]> for full details.
Short description:
lockmail.maildrop (setgid mail) lets the user specify a program and
execvp()s it, but does not drop egid mail privilege before doing so.
This opens a trivial privilege escalation (see "poc") to group mail.
The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
and should be easy to fix: Just add setgid(getgid()) before the
execvp(). I tested the attached patch briefly and verified that it
builds and prevents this bug.
The bug appears to be specific to Debian, upstream doesn't
seem to install lockmail with a setgid flag.
cheers,
Max
$ id
uid=1000(user) gid=1000(user) groups=1000(user)
$ lockmail.maildrop foo /bin/sh
$ id
uid=1000(user) gid=1000(user) egid=8(mail) groups=1000(user)
--- liblock/lockmail.c~ 2005-06-01 21:43:06.273749472 +0200
+++ liblock/lockmail.c 2005-06-01 21:32:04.000000000 +0200
@@ -160,6 +160,8 @@
if (pid == 0)
{
+ setgid(getgid());
+
(void)caught();
execvp(argvec[0], argvec);
