fulldisclosure logo Full Disclosure mailing list archives

Re: Remote Code Execution in qmail (CVE-2005-1513)

From: Qualys Security Advisory <qsa () qualys com>
Date: Tue, 16 Jun 2020 14:30:13 -0700

Hi all, Our Linux exploit for CVE-2005-1513 in qmail is attached to this email.
Alternatively, it will be available at: https://www.qualys.com/research/security-advisories/ A few notes about this exploit: - It works as-is against a default, unpatched installation of qmail on Debian 10 (amd64). It requires roughly 4GB of disk space and 8GB of memory on the target machine, and creates a file in /tmp when successful. - It can be ported to other Linux distributions (if the qmail-local binary is not full-RELRO) by modifying the lines marked with XXX in the exploit code. - To obtain the mmap layout described in our advisory, the exploit simulates the qmail-local program, and must therefore be executed on the same type of Linux distribution as the target. For example, in our tests, we executed the exploit on a Debian 10.0 machine and remotely attacked a Debian 10.3 machine. The exploit parameters can probably be calculated without the qmail-local simulation, and can certainly be precalculated, but we wanted to keep our exploit as general as possible. For the local exploit (LPE), there are only two command-line arguments: - "user": the name of the target user (on a default Debian installation, this can be "man", "root", "avahi-autoipd", or any real user account). - "domain": by default, the hostname in "/var/lib/qmail/control/me". For the command line of the remote exploit (RCE), there are three
mandatory options, three arguments, and one optional option: - "-i client_ip": the IP address of the attacking machine, as seen by the target machine. - "-h client_host": the hostname of the attacking machine (if it has no reverse DNS, the empty string can be specified, and the exploit will use qmail's default, "unknown"). - "-s server_host": the hostname of the target machine (by default, the same as the "domain" below). - "user": the name of the target user. - "domain": by default, the hostname in "/var/lib/qmail/control/me" on the target machine (and hence the hostname in qmail's SMTP banner). - "server_ip": the IP address of the target machine. - "-d homedir": the home directory of the target user, if known (otherwise, the exploit uses a reasonable default). We are at your disposal for questions, comments, and further
discussions. Thank you very much! With best regards, --
the Qualys Security Advisory team [https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner> This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.

Attachment: CVE-2005-1513.tar.gz

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date           By Thread  

Current thread:

  • Re: Remote Code Execution in qmail (CVE-2005-1513) Qualys Security Advisory (Jun 23)

Follow me for more information.