Vigil@nce: maildrop, privilege elevation
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When emails are delivered with maildrop, a local attacker can
acquire privileges of the root group.
Severity: 2/4
Consequences: administrator access/rights, privileged access/rights
Provenance: user account
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 28/01/2010
IMPACTED PRODUCTS
– Debian Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The maildrop program delivers local messages and filters them.
This command is for example called by root:
maildrop -d user_who_receives_the_email
The email recipient can then have a /.mailfilter file containing
commands to execute, in order to filter the mail.
The maildrop command looses root privileges, and acquires
privileges of the user, before executing commands of the filtering
file. However, additional groups are not limited to user’s group.
The root (0) additional group is therefore kept.
When emails are delivered with maildrop, a local attacker can thus
acquire privileges of the root group.
CHARACTERISTICS
Identifiers: 564601, BID-37984, CVE-2010-0301, DSA 1981-1, DSA
1981-2, VIGILANCE-VUL-9389
http://vigilance.fr/vulnerability/maildrop-privilege-elevation-9389