'Re: [oss-security] Remote Code Execution in qmail (CVE-2005-1513)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Remote Code Execution in qmail (CVE-2005-1513)
From:       Qualys Security Advisory <qsa () qualys ! com>
Date:       2020-06-16 21:24:16
Message-ID: 20200616212416.GA26798 () localhost ! localdomain
[Download RAW message or body]


Hi all,

Our Linux exploit for CVE-2005-1513 in qmail is attached to this email.
Alternatively, it will be available at:

https://www.qualys.com/research/security-advisories/

A few notes about this exploit:

- It works as-is against a default, unpatched installation of qmail on
  Debian 10 (amd64). It requires roughly 4GB of disk space and 8GB of
  memory on the target machine, and creates a file in /tmp when
  successful.

- It can be ported to other Linux distributions (if the qmail-local
  binary is not full-RELRO) by modifying the lines marked with XXX in
  the exploit code.

- To obtain the mmap layout described in our advisory, the exploit
  simulates the qmail-local program, and must therefore be executed on
  the same type of Linux distribution as the target. For example, in our
  tests, we executed the exploit on a Debian 10.0 machine and remotely
  attacked a Debian 10.3 machine.

  The exploit parameters can probably be calculated without the
  qmail-local simulation, and can certainly be precalculated, but we
  wanted to keep our exploit as general as possible.

For the local exploit (LPE), there are only two command-line arguments:

- "user": the name of the target user (on a default Debian installation,
  this can be "man", "root", "avahi-autoipd", or any real user account).

- "domain": by default, the hostname in "/var/lib/qmail/control/me".

For the command line of the remote exploit (RCE), there are three
mandatory options, three arguments, and one optional option:

- "-i client_ip": the IP address of the attacking machine, as seen by
  the target machine.

- "-h client_host": the hostname of the attacking machine (if it has no
  reverse DNS, the empty string can be specified, and the exploit will
  use qmail's default, "unknown").

- "-s server_host": the hostname of the target machine (by default, the
  same as the "domain" below).

- "user": the name of the target user.

- "domain": by default, the hostname in "/var/lib/qmail/control/me" on
  the target machine (and hence the hostname in qmail's SMTP banner).

- "server_ip": the IP address of the target machine.

- "-d homedir": the home directory of the target user, if known
  (otherwise, the exploit uses a reasonable default).

We are at your disposal for questions, comments, and further
discussions. Thank you very much!

With best regards,

--
the Qualys Security Advisory team


[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>




This message may contain confidential and privileged information. If it has been sent to you in \
error, please reply to advise the sender of the error and then immediately delete it. If you \
are not the intended recipient, do not read, copy, disclose or otherwise use this message. The \
sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to \
Qualys email accounts will be archived and may be scanned by us and/or by external service \
providers to detect and prevent threats to our systems, investigate illegal or inappropriate \
behavior, and/or eliminate unsolicited promotional emails ("spam"). If you have any concerns \
about this process, please contact us.


["CVE-2005-1513.tar.gz" (application/gzip)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic