Bug 559681 (CVE-2010-0301)

Summary: CVE-2010-0301 maildrop: does not drop supplimentary groups when dropping privileges
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: axel.thimm, jlieskov, nb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0301
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-09 18:19:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 559684    
Bug Blocks:    

Description Vincent Danen 2010-01-28 18:26:19 UTC 
Christoph Anton Mitterer reported [1] that maildrop is prone to a privilege escalation issue that grants a user root group privileges.  This is due to maildrop not dropping supplementary groups when being invoked by root.

Simple testcase is to create a testmaildrop user and then create ~testmaildrop/.mailfilter (owned by testmaildrop and mode 0600):

% sudo cat ~testmaildrop/.mailfilter
echo `id`
exit
% sudo maildrop -V2 -d testmaildrop </dev/null
maildrop: Changing to /tmp/testmaildrop
Message start at 0 bytes, envelope sender=testmaildrop
maildrop: Attempting .mailfilter
maildrop: Filtering through `id`
uid=13910(testmaildrop) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Note that debian has maildrop only sgid mail, but Fedora provides maildrop suid root and sgid mail.  Also note that this cannot be used to quickly elevate your
own privileges and this can only be taken advantage of if maildrop is actually executed by root (even with it being suid root):

% sudo su - testmaildrop
$ maildrop -V2 -d testmaildrop </dev/null
maildrop: Changing to /tmp/testmaildrop
Message start at 0 bytes, envelope sender=testmaildrop
maildrop: Attempting .mailfilter
maildrop: Filtering through `id`
uid=13910(testmaildrop) gid=13910(testmaildrop) groups=13910(testmaildrop) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ls -al `which maildrop`
-rwsr-sr-x. 1 root mail 175944 2009-09-04 15:49 /usr/bin/maildrop

The Debian bug report notes this patch will fix the issue:

diff -U3 -r1.58 main.C
--- maildrop/main.C 13 Jan 2010 01:32:02 -0000  1.58
+++ maildrop/main.C 15 Jan 2010 03:49:01 -0000
@@ -476,6 +476,8 @@
                    nouser();
#if RESET_GID
                setgroupid(my_pw->pw_gid);
+#else
+               setgroupid(getegid());
#endif
                setuid(my_pw->pw_uid);
                if (getuid() != my_pw->pw_uid)

Note that debian has maildrop only sgid mail, but Fedora provides maildrop suid root and sgid mail.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601
Comment 2 Jan Lieskovsky 2010-02-04 16:41:24 UTC 
Axel,

  any progress with scheduling Fedora maildrop updates?

Thanks, Jan.
Comment 3 Fedora Update System 2010-02-14 16:32:53 UTC 
maildrop-2.4.0-12.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/maildrop-2.4.0-12.fc12
Comment 4 Fedora Update System 2010-02-14 16:33:02 UTC 
maildrop-2.4.0-12.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/maildrop-2.4.0-12.fc11
Comment 5 Fedora Update System 2010-02-16 13:10:11 UTC 
maildrop-2.4.0-12.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2010-02-16 13:21:41 UTC 
maildrop-2.4.0-12.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.