ID CVE-2008-2937
Summary Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name.
References
Vulnerable Configurations
  • postfix 2.5.0
    cpe:2.3:a:postfix:postfix:2.5.0
  • postfix 2.5.1
    cpe:2.3:a:postfix:postfix:2.5.1
  • postfix 2.5.2
    cpe:2.3:a:postfix:postfix:2.5.2
  • postfix 2.5.3
    cpe:2.3:a:postfix:postfix:2.5.3
  • postfix 2.6.0
    cpe:2.3:a:postfix:postfix:2.6.0
CVSS
Base: 1.9 (as of 19-08-2008 - 11:35)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-224.NASL
    description A vulnerability has been found and corrected in postfix : Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name (CVE-2008-2937). This update provides a solution to this vulnerability. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 40813
    published 2009-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40813
    title Mandriva Linux Security Advisory : postfix (MDVSA-2009:224-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-0422.NASL
    description Updated postfix packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. It was discovered that Postfix did not flush the received SMTP commands buffer after switching to TLS encryption for an SMTP session. A man-in-the-middle attacker could use this flaw to inject SMTP commands into a victim's session during the plain text phase. This would lead to those commands being processed by Postfix after TLS encryption is enabled, possibly allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-0411) It was discovered that Postfix did not properly check the permissions of users' mailbox files. A local attacker able to create files in the mail spool directory could use this flaw to create mailbox files for other local users, and be able to read mail delivered to those users. (CVE-2008-2937) Red Hat would like to thank the CERT/CC for reporting CVE-2011-0411, and Sebastian Krahmer of the SuSE Security Team for reporting CVE-2008-2937. The CERT/CC acknowledges Wietse Venema as the original reporter of CVE-2011-0411. Users of Postfix are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the postfix service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53338
    published 2011-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53338
    title CentOS 4 / 5 : postfix (CESA-2011:0422)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110406_POSTFIX_ON_SL4_X.NASL
    description It was discovered that Postfix did not flush the received SMTP commands buffer after switching to TLS encryption for an SMTP session. A man-in-the-middle attacker could use this flaw to inject SMTP commands into a victim's session during the plain text phase. This would lead to those commands being processed by Postfix after TLS encryption is enabled, possibly allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-0411) It was discovered that Postfix did not properly check the permissions of users' mailbox files. A local attacker able to create files in the mail spool directory could use this flaw to create mailbox files for other local users, and be able to read mail delivered to those users. (CVE-2008-2937) After installing this update, the postfix service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61010
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61010
    title Scientific Linux Security Update : postfix on SL4.x, SL5.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-0422.NASL
    description From Red Hat Security Advisory 2011:0422 : Updated postfix packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. It was discovered that Postfix did not flush the received SMTP commands buffer after switching to TLS encryption for an SMTP session. A man-in-the-middle attacker could use this flaw to inject SMTP commands into a victim's session during the plain text phase. This would lead to those commands being processed by Postfix after TLS encryption is enabled, possibly allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-0411) It was discovered that Postfix did not properly check the permissions of users' mailbox files. A local attacker able to create files in the mail spool directory could use this flaw to create mailbox files for other local users, and be able to read mail delivered to those users. (CVE-2008-2937) Red Hat would like to thank the CERT/CC for reporting CVE-2011-0411, and Sebastian Krahmer of the SuSE Security Team for reporting CVE-2008-2937. The CERT/CC acknowledges Wietse Venema as the original reporter of CVE-2011-0411. Users of Postfix are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the postfix service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68248
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68248
    title Oracle Linux 4 / 5 : postfix (ELSA-2011-0422)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_POSTFIX-5501.NASL
    description A (local) privilege escalation vulnerability as well as a mailbox ownership problem has been fixed in postfix. CVE-2008-2936 and CVE-2008-2937 have been assigned to this problem.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 33897
    published 2008-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33897
    title openSUSE 10 Security Update : postfix (postfix-5501)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-8595.NASL
    description New upstream patch level version 2.5.5, including multiple security fixes detailed in upstream announcements: http://www.postfix.org/announcements/20080814.html http://www.postfix.org/announcements/20080902.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 34377
    published 2008-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34377
    title Fedora 8 : postfix-2.5.5-1.fc8 (2008-8595)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0422.NASL
    description Updated postfix packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. It was discovered that Postfix did not flush the received SMTP commands buffer after switching to TLS encryption for an SMTP session. A man-in-the-middle attacker could use this flaw to inject SMTP commands into a victim's session during the plain text phase. This would lead to those commands being processed by Postfix after TLS encryption is enabled, possibly allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-0411) It was discovered that Postfix did not properly check the permissions of users' mailbox files. A local attacker able to create files in the mail spool directory could use this flaw to create mailbox files for other local users, and be able to read mail delivered to those users. (CVE-2008-2937) Red Hat would like to thank the CERT/CC for reporting CVE-2011-0411, and Sebastian Krahmer of the SuSE Security Team for reporting CVE-2008-2937. The CERT/CC acknowledges Wietse Venema as the original reporter of CVE-2011-0411. Users of Postfix are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the postfix service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 53310
    published 2011-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53310
    title RHEL 4 / 5 : postfix (RHSA-2011:0422)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-8593.NASL
    description New upstream patch level version 2.5.5, including multiple security fixes detailed in upstream announcements: http://www.postfix.org/announcements/20080814.html http://www.postfix.org/announcements/20080902.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 34376
    published 2008-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34376
    title Fedora 9 : postfix-2.5.5-1.fc9 (2008-8593)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12219.NASL
    description A (local) privilege escalation vulnerability as well as a mailbox ownership problem has been fixed in postfix. CVE-2008-2936 and CVE-2008-2937 have been assigned to this problem.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 41231
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41231
    title SuSE9 Security Update : Postfix (YOU Patch Number 12219)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200808-12.NASL
    description The remote host is affected by the vulnerability described in GLSA-200808-12 (Postfix: Local privilege escalation vulnerability) Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail to root-owned symlinks in an insecure manner under certain conditions. Normally, Postfix does not deliver mail to symlinks, except to root-owned symlinks, for compatibility with the systems using symlinks in /dev like Solaris. Furthermore, some systems like Linux allow to hardlink a symlink, while the POSIX.1-2001 standard requires that the symlink is followed. Depending on the write permissions and the delivery agent being used, this can lead to an arbitrary local file overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix delivery agent does not properly verify the ownership of a mailbox before delivering mail (CVE-2008-2937). Impact : The combination of these features allows a local attacker to hardlink a root-owned symlink such that the newly created symlink would be root-owned and would point to a regular file (or another symlink) that would be written by the Postfix built-in local(8) or virtual(8) delivery agents, regardless the ownership of the final destination regular file. Depending on the write permissions of the spool mail directory, the delivery style, and the existence of a root mailbox, this could allow a local attacker to append a mail to an arbitrary file like /etc/passwd in order to gain root privileges. The default configuration of Gentoo Linux does not permit any kind of user privilege escalation. The second vulnerability (CVE-2008-2937) allows a local attacker, already having write permissions to the mail spool directory which is not the case on Gentoo by default, to create a previously nonexistent mailbox before Postfix creates it, allowing to read the mail of another user on the system. Workaround : The following conditions should be met in order to be vulnerable to local privilege escalation. The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. The mail spool directory (/var/spool/mail) is user-writeable. The user can create hardlinks pointing to root-owned symlinks located in other directories. Consequently, each one of the following workarounds is efficient. Verify that your /var/spool/mail directory is not writeable by a user. Normally on Gentoo, only the mail group has write access, and no end-user should be granted the mail group ownership. Prevent the local users from being able to create hardlinks pointing outside of the /var/spool/mail directory, e.g. with a dedicated partition. Use a non-builtin Postfix delivery agent, like procmail or maildrop. Use the maildir delivery style of Postfix ('home_mailbox=Maildir/' for example). Concerning the second vulnerability, check the write permissions of /var/spool/mail, or check that every Unix account already has a mailbox, by using Wietse Venema's Perl script available in the official advisory.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 33891
    published 2008-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33891
    title GLSA-200808-12 : Postfix: Local privilege escalation vulnerability
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_POSTFIX-080804.NASL
    description A (local) privilege escalation vulnerability as well as a mailbox ownership problem has been fixed in postfix. CVE-2008-2936 and CVE-2008-2937 have been assigned to this problem.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 40111
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40111
    title openSUSE Security Update : postfix (postfix-133)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_POSTFIX-5500.NASL
    description A (local) privilege escalation vulnerability as well as a mailbox ownership problem has been fixed in postfix. CVE-2008-2936 / CVE-2008-2937 have been assigned to this problem.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 33888
    published 2008-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33888
    title SuSE 10 Security Update : Postfix (ZYPP Patch Number 5500)
redhat via4
advisories
rhsa
id RHSA-2011:0422
rpms
  • postfix-2:2.2.10-1.4.el4
  • postfix-pflogsumm-2:2.2.10-1.4.el4
  • postfix-2:2.3.3-2.2.el5_6
  • postfix-pflogsumm-2:2.3.3-2.2.el5_6
refmap via4
bid 30691
bugtraq 20080821 rPSA-2008-0259-1 postfix
confirm
fedora
  • FEDORA-2008-8593
  • FEDORA-2008-8595
gentoo GLSA-200808-12
mandriva MDVSA-2009:224
secunia
  • 31477
  • 31485
  • 31500
  • 32231
suse SUSE-SA:2008:040
vupen ADV-2008-2385
xf postfix-email-information-disclosure(44461)
statements via4
contributor Joshua Bressers
lastmodified 2008-08-19
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Last major update 07-12-2016 - 22:01
Published 18-08-2008 - 15:41
Last modified 11-10-2018 - 16:45
Back to Top