CVE-2008-2936

Current Description

Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.

Evaluator Description

Please refer to the following links for additional version information (vendor release notes):Postfix 2.3 - ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.3.15.RELEASE_NOTESPostfix 2.4 - ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.4.8.RELEASE_NOTESPostfix 2.5 - ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.5.4.RELEASE_NOTESPostfix 2.6 - ftp://mirrors.loonybin.net/pub/postfix/experimental/postfix-2.6-20080814.RELEASE_NOTES

Basic Data

PublishedAugust 18, 2008
Last ModifiedOctober 11, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-264
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:L/AC:H/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorLOCAL
CVSS 2 - Access ComplexityHIGH
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score6.2
SeverityMEDIUM
Exploitability Score1.9
Impact Score10.0
Obtain All Privilegetrue
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationPostfixPostfix2.3.0*******
    2.3ApplicationPostfixPostfix2.3.1*******
    2.3ApplicationPostfixPostfix2.3.2*******
    2.3ApplicationPostfixPostfix2.3.3*******
    2.3ApplicationPostfixPostfix2.3.4*******
    2.3ApplicationPostfixPostfix2.3.5*******
    2.3ApplicationPostfixPostfix2.3.6*******
    2.3ApplicationPostfixPostfix2.3.7*******
    2.3ApplicationPostfixPostfix2.3.8*******
    2.3ApplicationPostfixPostfix2.3.9*******
    2.3ApplicationPostfixPostfix2.3.10*******
    2.3ApplicationPostfixPostfix2.3.11*******
    2.3ApplicationPostfixPostfix2.3.12*******
    2.3ApplicationPostfixPostfix2.3.13*******
    2.3ApplicationPostfixPostfix2.3.14*******
    2.3ApplicationPostfixPostfix2.4.0*******
    2.3ApplicationPostfixPostfix2.4.1*******
    2.3ApplicationPostfixPostfix2.4.2*******
    2.3ApplicationPostfixPostfix2.4.3*******
    2.3ApplicationPostfixPostfix2.4.4*******
    2.3ApplicationPostfixPostfix2.4.5*******
    2.3ApplicationPostfixPostfix2.4.6*******
    2.3ApplicationPostfixPostfix2.4.7*******
    2.3ApplicationPostfixPostfix2.5.0*******
    2.3ApplicationPostfixPostfix2.5.1*******
    2.3ApplicationPostfixPostfix2.5.2*******
    2.3ApplicationPostfixPostfix2.5.3*******
    2.3ApplicationPostfixPostfix2.6.0*******

Vulnerable Software List

VendorProductVersions
Postfix Postfix 2.3.0, 2.3.1, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0

References

NameSourceURLTags
ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORYftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORYCONFIRM
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.3.15.HISTORYftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.3.15.HISTORYCONFIRM
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.4.8.HISTORYftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.4.8.HISTORYCONFIRM
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORYftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORYCONFIRM
[postfix-announce] 20080814 Postfix local privilege escalation via hardlinked symlinkshttp://article.gmane.org/gmane.mail.postfix.announce/110MLIST
SUSE-SA:2008:040http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.htmlSUSE
31469http://secunia.com/advisories/31469SECUNIA
31474http://secunia.com/advisories/31474SECUNIA
31477http://secunia.com/advisories/31477SECUNIA
31485http://secunia.com/advisories/31485SECUNIAVendor Advisory
31500http://secunia.com/advisories/31500SECUNIAVendor Advisory
31530http://secunia.com/advisories/31530SECUNIA
32231http://secunia.com/advisories/32231SECUNIA
GLSA-200808-12http://security.gentoo.org/glsa/glsa-200808-12.xmlGENTOO
4160http://securityreason.com/securityalert/4160SREASON
http://wiki.rpath.com/Advisories:rPSA-2008-0259http://wiki.rpath.com/Advisories:rPSA-2008-0259CONFIRM
DSA-1629http://www.debian.org/security/2008/dsa-1629DEBIAN
VU#938323http://www.kb.cert.org/vuls/id/938323CERT-VNUS Government Resource
MDVSA-2008:171http://www.mandriva.com/security/advisories?name=MDVSA-2008:171MANDRIVA
RHSA-2008:0839http://www.redhat.com/support/errata/RHSA-2008-0839.htmlREDHAT
20080814 Postfix local privilege escalation via hardlinked symlinkshttp://www.securityfocus.com/archive/1/495474/100/0/threadedBUGTRAQ
20080821 rPSA-2008-0259-1 postfixhttp://www.securityfocus.com/archive/1/495632/100/0/threadedBUGTRAQ
20080831 PoCfix (PoC for Postfix local root vuln - CVE-2008-2936)http://www.securityfocus.com/archive/1/495882/100/0/threadedBUGTRAQ
30691http://www.securityfocus.com/bid/30691BIDPATCH
1020700http://www.securitytracker.com/id?1020700SECTRACK
ADV-2008-2385http://www.vupen.com/english/advisories/2008/2385VUPEN
postfix-symlink-code-execution(44460)https://exchange.xforce.ibmcloud.com/vulnerabilities/44460XF
https://issues.rpath.com/browse/RPL-2689https://issues.rpath.com/browse/RPL-2689CONFIRM
oval:org.mitre.oval:def:10033https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10033OVAL
USN-636-1https://usn.ubuntu.com/636-1/UBUNTU
6337https://www.exploit-db.com/exploits/6337EXPLOIT-DB
FEDORA-2008-8595https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.htmlFEDORA
FEDORA-2008-8593https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.htmlFEDORA