[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Remote Code Execution in qmail (CVE-2005-1513)
From: Qualys Security Advisory <qsa () qualys ! com>
Date: 2020-06-16 21:30:13
Message-ID: 20200616213013.GB26798 () localhost ! localdomain
[Download RAW message or body]
Hi all,
Our Linux exploit for CVE-2005-1513 in qmail is attached to this email.
Alternatively, it will be available at:
https://www.qualys.com/research/security-advisories/
A few notes about this exploit:
- It works as-is against a default, unpatched installation of qmail on
Debian 10 (amd64). It requires roughly 4GB of disk space and 8GB of
memory on the target machine, and creates a file in /tmp when
successful.
- It can be ported to other Linux distributions (if the qmail-local
binary is not full-RELRO) by modifying the lines marked with XXX in
the exploit code.
- To obtain the mmap layout described in our advisory, the exploit
simulates the qmail-local program, and must therefore be executed on
the same type of Linux distribution as the target. For example, in our
tests, we executed the exploit on a Debian 10.0 machine and remotely
attacked a Debian 10.3 machine.
The exploit parameters can probably be calculated without the
qmail-local simulation, and can certainly be precalculated, but we
wanted to keep our exploit as general as possible.
For the local exploit (LPE), there are only two command-line arguments:
- "user": the name of the target user (on a default Debian installation,
this can be "man", "root", "avahi-autoipd", or any real user account).
- "domain": by default, the hostname in "/var/lib/qmail/control/me".
For the command line of the remote exploit (RCE), there are three
mandatory options, three arguments, and one optional option:
- "-i client_ip": the IP address of the attacking machine, as seen by
the target machine.
- "-h client_host": the hostname of the attacking machine (if it has no
reverse DNS, the empty string can be specified, and the exploit will
use qmail's default, "unknown").
- "-s server_host": the hostname of the target machine (by default, the
same as the "domain" below).
- "user": the name of the target user.
- "domain": by default, the hostname in "/var/lib/qmail/control/me" on
the target machine (and hence the hostname in qmail's SMTP banner).
- "server_ip": the IP address of the target machine.
- "-d homedir": the home directory of the target user, if known
(otherwise, the exploit uses a reasonable default).
We are at your disposal for questions, comments, and further
discussions. Thank you very much!
With best regards,
--
the Qualys Security Advisory team
[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>
This message may contain confidential and privileged information. If it has been sent to you in \
error, please reply to advise the sender of the error and then immediately delete it. If you \
are not the intended recipient, do not read, copy, disclose or otherwise use this message. The \
sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to \
Qualys email accounts will be archived and may be scanned by us and/or by external service \
providers to detect and prevent threats to our systems, investigate illegal or inappropriate \
behavior, and/or eliminate unsolicited promotional emails ("spam"). If you have any concerns \
about this process, please contact us.
["CVE-2005-1513.tar.gz" (application/gzip)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic