[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200616213013.GB26798@localhost.localdomain>
Date: Tue, 16 Jun 2020 14:30:13 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Remote Code Execution in qmail (CVE-2005-1513)
Hi all,
Our Linux exploit for CVE-2005-1513 in qmail is attached to this email.
Alternatively, it will be available at:
https://www.qualys.com/research/security-advisories/
A few notes about this exploit:
- It works as-is against a default, unpatched installation of qmail on
Debian 10 (amd64). It requires roughly 4GB of disk space and 8GB of
memory on the target machine, and creates a file in /tmp when
successful.
- It can be ported to other Linux distributions (if the qmail-local
binary is not full-RELRO) by modifying the lines marked with XXX in
the exploit code.
- To obtain the mmap layout described in our advisory, the exploit
simulates the qmail-local program, and must therefore be executed on
the same type of Linux distribution as the target. For example, in our
tests, we executed the exploit on a Debian 10.0 machine and remotely
attacked a Debian 10.3 machine.
The exploit parameters can probably be calculated without the
qmail-local simulation, and can certainly be precalculated, but we
wanted to keep our exploit as general as possible.
For the local exploit (LPE), there are only two command-line arguments:
- "user": the name of the target user (on a default Debian installation,
this can be "man", "root", "avahi-autoipd", or any real user account).
- "domain": by default, the hostname in "/var/lib/qmail/control/me".
For the command line of the remote exploit (RCE), there are three
mandatory options, three arguments, and one optional option:
- "-i client_ip": the IP address of the attacking machine, as seen by
the target machine.
- "-h client_host": the hostname of the attacking machine (if it has no
reverse DNS, the empty string can be specified, and the exploit will
use qmail's default, "unknown").
- "-s server_host": the hostname of the target machine (by default, the
same as the "domain" below).
- "user": the name of the target user.
- "domain": by default, the hostname in "/var/lib/qmail/control/me" on
the target machine (and hence the hostname in qmail's SMTP banner).
- "server_ip": the IP address of the target machine.
- "-d homedir": the home directory of the target user, if known
(otherwise, the exploit uses a reasonable default).
We are at your disposal for questions, comments, and further
discussions. Thank you very much!
With best regards,
--
the Qualys Security Advisory team
[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>
This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.
Download attachment "CVE-2005-1513.tar.gz" of type "application/gzip" (68009 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists