Bug 559681 (CVE-2010-0301) - CVE-2010-0301 maildrop: does not drop supplimentary groups when dropping privileges
Summary: CVE-2010-0301 maildrop: does not drop supplimentary groups when dropping priv...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2010-0301
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On: 559684
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-28 18:26 UTC by Vincent Danen
Modified: 2019-09-29 12:34 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-09 18:19:03 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2010-01-28 18:26:19 UTC 
Christoph Anton Mitterer reported [1] that maildrop is prone to a privilege escalation issue that grants a user root group privileges.  This is due to maildrop not dropping supplementary groups when being invoked by root.

Simple testcase is to create a testmaildrop user and then create ~testmaildrop/.mailfilter (owned by testmaildrop and mode 0600):

% sudo cat ~testmaildrop/.mailfilter
echo `id`
exit
% sudo maildrop -V2 -d testmaildrop </dev/null
maildrop: Changing to /tmp/testmaildrop
Message start at 0 bytes, envelope sender=testmaildrop
maildrop: Attempting .mailfilter
maildrop: Filtering through `id`
uid=13910(testmaildrop) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Note that debian has maildrop only sgid mail, but Fedora provides maildrop suid root and sgid mail.  Also note that this cannot be used to quickly elevate your
own privileges and this can only be taken advantage of if maildrop is actually executed by root (even with it being suid root):

% sudo su - testmaildrop
$ maildrop -V2 -d testmaildrop </dev/null
maildrop: Changing to /tmp/testmaildrop
Message start at 0 bytes, envelope sender=testmaildrop
maildrop: Attempting .mailfilter
maildrop: Filtering through `id`
uid=13910(testmaildrop) gid=13910(testmaildrop) groups=13910(testmaildrop) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ls -al `which maildrop`
-rwsr-sr-x. 1 root mail 175944 2009-09-04 15:49 /usr/bin/maildrop

The Debian bug report notes this patch will fix the issue:

diff -U3 -r1.58 main.C
--- maildrop/main.C 13 Jan 2010 01:32:02 -0000  1.58
+++ maildrop/main.C 15 Jan 2010 03:49:01 -0000
@@ -476,6 +476,8 @@
                    nouser();
#if RESET_GID
                setgroupid(my_pw->pw_gid);
+#else
+               setgroupid(getegid());
#endif
                setuid(my_pw->pw_uid);
                if (getuid() != my_pw->pw_uid)

Note that debian has maildrop only sgid mail, but Fedora provides maildrop suid root and sgid mail.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601
Comment 2 Jan Lieskovsky 2010-02-04 16:41:24 UTC 
Axel,

  any progress with scheduling Fedora maildrop updates?

Thanks, Jan.
Comment 3 Fedora Update System 2010-02-14 16:32:53 UTC 
maildrop-2.4.0-12.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/maildrop-2.4.0-12.fc12
Comment 4 Fedora Update System 2010-02-14 16:33:02 UTC 
maildrop-2.4.0-12.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/maildrop-2.4.0-12.fc11
Comment 5 Fedora Update System 2010-02-16 13:10:11 UTC 
maildrop-2.4.0-12.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2010-02-16 13:21:41 UTC 
maildrop-2.4.0-12.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.