lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 16 Jun 2020 14:30:13 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Remote Code Execution in qmail (CVE-2005-1513)

Hi all,

Our Linux exploit for CVE-2005-1513 in qmail is attached to this email.
Alternatively, it will be available at:

https://www.qualys.com/research/security-advisories/

A few notes about this exploit:

- It works as-is against a default, unpatched installation of qmail on
  Debian 10 (amd64). It requires roughly 4GB of disk space and 8GB of
  memory on the target machine, and creates a file in /tmp when
  successful.

- It can be ported to other Linux distributions (if the qmail-local
  binary is not full-RELRO) by modifying the lines marked with XXX in
  the exploit code.

- To obtain the mmap layout described in our advisory, the exploit
  simulates the qmail-local program, and must therefore be executed on
  the same type of Linux distribution as the target. For example, in our
  tests, we executed the exploit on a Debian 10.0 machine and remotely
  attacked a Debian 10.3 machine.

  The exploit parameters can probably be calculated without the
  qmail-local simulation, and can certainly be precalculated, but we
  wanted to keep our exploit as general as possible.

For the local exploit (LPE), there are only two command-line arguments:

- "user": the name of the target user (on a default Debian installation,
  this can be "man", "root", "avahi-autoipd", or any real user account).

- "domain": by default, the hostname in "/var/lib/qmail/control/me".

For the command line of the remote exploit (RCE), there are three
mandatory options, three arguments, and one optional option:

- "-i client_ip": the IP address of the attacking machine, as seen by
  the target machine.

- "-h client_host": the hostname of the attacking machine (if it has no
  reverse DNS, the empty string can be specified, and the exploit will
  use qmail's default, "unknown").

- "-s server_host": the hostname of the target machine (by default, the
  same as the "domain" below).

- "user": the name of the target user.

- "domain": by default, the hostname in "/var/lib/qmail/control/me" on
  the target machine (and hence the hostname in qmail's SMTP banner).

- "server_ip": the IP address of the target machine.

- "-d homedir": the home directory of the target user, if known
  (otherwise, the exploit uses a reasonable default).

We are at your disposal for questions, comments, and further
discussions. Thank you very much!

With best regards,

--
the Qualys Security Advisory team


[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>



This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.

Download attachment "CVE-2005-1513.tar.gz" of type "application/gzip" (68009 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists