Date: Tue, 16 Jun 2020 14:24:16 -0700 From: Qualys Security Advisory <qsa@...lys.com> To: oss-security@...ts.openwall.com Subject: Re: Remote Code Execution in qmail (CVE-2005-1513) Hi all, Our Linux exploit for CVE-2005-1513 in qmail is attached to this email. Alternatively, it will be available at: https://www.qualys.com/research/security-advisories/ A few notes about this exploit: - It works as-is against a default, unpatched installation of qmail on Debian 10 (amd64). It requires roughly 4GB of disk space and 8GB of memory on the target machine, and creates a file in /tmp when successful. - It can be ported to other Linux distributions (if the qmail-local binary is not full-RELRO) by modifying the lines marked with XXX in the exploit code. - To obtain the mmap layout described in our advisory, the exploit simulates the qmail-local program, and must therefore be executed on the same type of Linux distribution as the target. For example, in our tests, we executed the exploit on a Debian 10.0 machine and remotely attacked a Debian 10.3 machine. The exploit parameters can probably be calculated without the qmail-local simulation, and can certainly be precalculated, but we wanted to keep our exploit as general as possible. For the local exploit (LPE), there are only two command-line arguments: - "user": the name of the target user (on a default Debian installation, this can be "man", "root", "avahi-autoipd", or any real user account). - "domain": by default, the hostname in "/var/lib/qmail/control/me". For the command line of the remote exploit (RCE), there are three mandatory options, three arguments, and one optional option: - "-i client_ip": the IP address of the attacking machine, as seen by the target machine. - "-h client_host": the hostname of the attacking machine (if it has no reverse DNS, the empty string can be specified, and the exploit will use qmail's default, "unknown"). - "-s server_host": the hostname of the target machine (by default, the same as the "domain" below). - "user": the name of the target user. - "domain": by default, the hostname in "/var/lib/qmail/control/me" on the target machine (and hence the hostname in qmail's SMTP banner). - "server_ip": the IP address of the target machine. - "-d homedir": the home directory of the target user, if known (otherwise, the exploit uses a reasonable default). We are at your disposal for questions, comments, and further discussions. Thank you very much! With best regards, -- the Qualys Security Advisory team [https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner> This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us. Download attachment "CVE-2005-1513.tar.gz" of type "application/gzip" (68009 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.