Bug 559681 - (CVE-2010-0301) CVE-2010-0301 maildrop: does not drop supplimentary groups when dropping privileges
CVE-2010-0301 maildrop: does not drop supplimentary groups when dropping priv...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://web.nvd.nist.gov/view/vuln/det...
impact=moderate,source=debian,reporte...
: Security
Depends On: 559684
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-28 13:26 EST by Vincent Danen
Modified: 2015-07-29 09:12 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-09 13:19:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-01-28 13:26:19 EST
Christoph Anton Mitterer reported [1] that maildrop is prone to a privilege escalation issue that grants a user root group privileges.  This is due to maildrop not dropping supplementary groups when being invoked by root.

Simple testcase is to create a testmaildrop user and then create ~testmaildrop/.mailfilter (owned by testmaildrop and mode 0600):

% sudo cat ~testmaildrop/.mailfilter
echo `id`
exit
% sudo maildrop -V2 -d testmaildrop </dev/null
maildrop: Changing to /tmp/testmaildrop
Message start at 0 bytes, envelope sender=testmaildrop
maildrop: Attempting .mailfilter
maildrop: Filtering through `id`
uid=13910(testmaildrop) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Note that debian has maildrop only sgid mail, but Fedora provides maildrop suid root and sgid mail.  Also note that this cannot be used to quickly elevate your
own privileges and this can only be taken advantage of if maildrop is actually executed by root (even with it being suid root):

% sudo su - testmaildrop
$ maildrop -V2 -d testmaildrop </dev/null
maildrop: Changing to /tmp/testmaildrop
Message start at 0 bytes, envelope sender=testmaildrop
maildrop: Attempting .mailfilter
maildrop: Filtering through `id`
uid=13910(testmaildrop) gid=13910(testmaildrop) groups=13910(testmaildrop) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ls -al `which maildrop`
-rwsr-sr-x. 1 root mail 175944 2009-09-04 15:49 /usr/bin/maildrop

The Debian bug report notes this patch will fix the issue:

diff -U3 -r1.58 main.C
--- maildrop/main.C 13 Jan 2010 01:32:02 -0000  1.58
+++ maildrop/main.C 15 Jan 2010 03:49:01 -0000
@@ -476,6 +476,8 @@
                    nouser();
#if RESET_GID
                setgroupid(my_pw->pw_gid);
+#else
+               setgroupid(getegid());
#endif
                setuid(my_pw->pw_uid);
                if (getuid() != my_pw->pw_uid)

Note that debian has maildrop only sgid mail, but Fedora provides maildrop suid root and sgid mail.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601
Comment 2 Jan Lieskovsky 2010-02-04 11:41:24 EST
Axel,

  any progress with scheduling Fedora maildrop updates?

Thanks, Jan.
Comment 3 Fedora Update System 2010-02-14 11:32:53 EST
maildrop-2.4.0-12.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/maildrop-2.4.0-12.fc12
Comment 4 Fedora Update System 2010-02-14 11:33:02 EST
maildrop-2.4.0-12.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/maildrop-2.4.0-12.fc11
Comment 5 Fedora Update System 2010-02-16 08:10:11 EST
maildrop-2.4.0-12.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2010-02-16 08:21:41 EST
maildrop-2.4.0-12.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.