[Full-Disclosure] Local root compromise possible with getmail
baikie at ehwhat.freeserve.co.uk
Sun Sep 19 15:32:38 BST 2004
The following vulnerabilities apply to all releases of getmail prior to 3.2.5,
and all version 4 releases prior to 4.2.0. They do not apply where getmail is
run as an unprivileged user, or where an unprivileged external MDA is used
for the final delivery of mail. They are not exploitable remotely.
Although it is not the recommended mode of operation, by being run as root,
getmail is able give users ownership of the files containing their new mail.
However, the built-in mail delivery code was not suitable for use as root in
the presence of hostile local users. It had the following vulnerabilities:
Mbox delivery (version 4 releases prior to 4.2.0):
Attacker replacing an mbox file with a symbolic link can have mail delivered
(as root) into a new mbox file with a name and path of their choosing.
Successful exploitation of a race condition allows existing files to be
overwritten. The files are given 600 permissions and the same owner/group
as the directory containing the mbox delivery point.
Maildir delivery (version 4 releases prior to 4.2.0, all releases prior to
Attacker replacing subdirectories of a maildir with suitable symbolic links
can have mail delivered into an arbitrary directory. Filenames cannot be
chosen by the attacker, but successful exploitation of a race condition can
allow arbitrary file contents to be substituted for mail. The files are given
600 permissions and the same owner/group as the maildir.
Both sets of vulnerabilities may be exploited to have arbitrary commands
executed as root.
Do not run getmail as a privileged user; or, in version 4, use an external MDA
with explicitly configured user and group privileges.
Versions 3.2.5 and 4.2.0 are now available at:
Version 3.2.5 just enforces the workaround. Version 4.2.0 solves the problem
by dropping privileges to those of an explicitly configured user before
delivering mail, as was already done for delivery by external MDAs.
Note: version 4 releases require Python 2.3.3 or later. Python 2.3.x can be
installed alongside an earlier version if required; see the README file in
the latest source tarball, available at http://www.python.org. Once
installed, getmail will use whichever version was initially used to run its
Full-Disclosure is hosted and sponsored by Secunia.