Menu

Search for hundreds of thousands of exploits

"GNU Mailutils 3.7 - Privilege Escalation"

Author

Exploit author

"Mike Gualtieri"

Platform

Exploit platform

linux

Release date

Exploit published date

2019-11-21

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# Exploit Title: GNU Mailutils 3.7 - Local Privilege Escalation
# Date: 2019-11-06
# Exploit Author: Mike Gualtieri
# Vendor Homepage: https://mailutils.org/
# Software Link: https://ftp.gnu.org/gnu/mailutils/mailutils-3.7.tar.gz
# Version: 2.0 <= 3.7
# Tested on: Gentoo
# CVE : CVE-2019-18862

Title   : GNU Mailutils / Maidag Local Privilege Escalation
Author  : Mike Gualtieri :: https://www.mike-gualtieri.com
Date    : 2019-11-06
Updated : 2019-11-20

Vendor Affected:   GNU Mailutils :: https://mailutils.org/
Versions Affected: 2.0 - 3.7
CVE Designator:    CVE-2019-18862


1. Overview

The --url parameter included in the GNU Mailutils maidag utility (versions 2.0
through 3.7) can abused to write to arbitrary files on the host operating
system.  By default, maidag is set to execute with setuid root permissions,
which can lead to local privilege escalation through code/command execution by
writing to the system's crontab or by writing to other root owned files on the
operating system.



2. Detail

As described by the project's homepage, "GNU Mailutils is a swiss army knife of 
electronic mail handling. It offers a rich set of utilities and daemons for
processing e-mail".

Maidag, a mail delivery agent utility included in the suite, is by default
marked to execute with setuid (suid) root permissions.

The --url parameter of maidag can be abused to write to arbitrary files on the 
operating system.  Abusing this option while the binary is marked with suid 
permissions allows a low privileged user to write to arbitrary files on the 
system as root.  Writing to the crontab, for example, may lead to a root shell.

The flaw itself appears to date back to the 2008-10-19 commit, when the --url 
parameter was introduced to maidag.

	11637b0f - New maidag mode: --url
	https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=11637b0f262db62b4dc466cefb9315098a1a995a

	maidag/Makefile.am:
    	chmod 4755 $(DESTDIR)$(sbindir)/$$i;\


The following payload will execute arbitrary commands as root and works with 
versions of maidag, through version 3.7.

	maidag  --url /etc/crontab < /tmp/crontab.in

	The file /tmp/crontab.in would contain a payload like the following.  

	line 1:
	line 2: */1  *  * * *  root    /tmp/payload.sh

	Please note: For the input to be accepted by maidag, the first line of the
    file must be blank or be commented.

	In the above example, the file /tmp/payload.sh would include arbitrary 
    commands to execute as root.


Older versions of GNU Mailutils (2.2 and previous) require a different syntax:

	maidag --url 'mbox://[email protected] //etc/crontab' < /tmp/crontab.in



3. Solution

A fix for the flaw has been made in GNU Mailutils 3.8, which removes the maidag 
utility, and includes three new utilities that replace its functionality.  
Details about the new features can be found in the project's release notes:

	https://git.savannah.gnu.org/cgit/mailutils.git/tree/NEWS

Another workaround for those unable to upgrade, is to remove the suid bit on 
/usr/sbin/maidag (e.g. `chmod u-s /usr/sbin/maidag`).

It should be noted that some Linux distributions already remove the suid bit
from maidag by default, nullifying this privilege escalation flaw.

Another patch has been made available by Sergey Poznyakoff and posted to the
GNU Mailutils mailing list, which removes the setuid bit for maidag in all but
required cases.  The patch is intended for users who can not yet upgrade to
mailutils 3.8.  The patch has also been made available here:
https://www.mike-gualtieri.com/files/maidag-dropsetuid.patch



4. Additional Comments

This vulnerability disclosure was submitted to MITRE Corporation for inclusion
in the Common Vulnerabilities and Exposures (CVE) database.  The designator
CVE-2019-18862 has been assigned.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18862
https://nvd.nist.gov/vuln/detail/CVE-2019-18862

The NIST National Vulnerability Database (NVD) has assigned the following
ratings:

CVSS 3.x Severity and Metrics: Base Score: 7.8 HIGH
CVSS 2.0 Severity and Metrics: Base Score: 4.6 MEDIUM

This disclosure will be updated as new information becomes available.  



5. History

2019-10-09 Informed Sergey Poznyakoff <[email protected]> of security issue

2019-10-10 Reply from Sergey acknowledging the issue

2019-10-12 Fix available in the GNU Mailutils git repository:
           739c6ee5 - Split maidag into three single-purpose tools
           https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=739c6ee525a4f7bb76b8fe2bd75e81a122764ced

2019-11-06 GNU Mailutils Version 3.8 released to close the issue

2019-11-06 Submission of this vulnerability disclosure to MITRE Corporate to
           obtain a CVE designator

2019-11-07 Patch offered by Sergey for those unable to upgrade to version 3.8

2019-11-11 CVE-2019-18862 assigned to flaw

2019-11-20 Vulnerability disclosure made publicly available
Release DateTitleTypePlatformAuthor
2020-04-03"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)"localwindowsHodorsec
2020-04-03"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-04-02"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)"localwindows"Paras Bhatia"
2020-04-01"DiskBoss 7.7.14 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-04-01"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)"localwindowsHodorsec
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
Release DateTitleTypePlatformAuthor
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-13"Centos WebPanel 7 - 'term' SQL Injection"webappslinux"Berke YILMAZ"
2020-03-10"Nagios XI - Authenticated Remote Command Execution (Metasploit)"remotelinuxMetasploit
2020-03-09"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-03-02"netkit-telnet-0.17 telnetd (Fedora 31) - 'BraveStarr' Remote Code Execution"remotelinuxImmunity
2020-02-26"OpenSMTPD 6.6.3 - Arbitrary File Read"remotelinux"Qualys Corporation"
2020-02-24"Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-02-24"Go SSH servers 0.0.2 - Denial of Service (PoC)"doslinux"Mark Adams"
2020-02-24"Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)"remotelinuxMetasploit
2020-02-10"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-02-10"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init"doslinux"Google Security Research"
2020-02-06"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow"locallinux"Dylan Katz"
2020-02-06"VIM 8.2 - Denial of Service (PoC)"doslinux"Dhiraj Mishra"
2020-02-05"xglance-bin 11.00 - Privilege Escalation"locallinuxredtimmysec
2020-02-05"Socat 1.7.3.4 - Heap-Based Overflow (PoC)"locallinuxhieubl
2020-02-04"Sudo 1.8.25p - Buffer Overflow"locallinux"Joe Vennix"
2020-02-04"F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)"webappslinux"Kevin Joensen"
2020-02-03"BearFTP 0.1.0 - 'PASV' Denial of Service"doslinuxkolya5544
2020-01-30"OpenSMTPD 6.6.2 - Remote Code Execution"remotelinux1F98D
2020-01-23"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-01-23"Pachev FTP Server 1.0 - Path Traversal"remotelinux1F98D
2020-01-15"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)"remotelinuxMetasploit
2020-01-14"Redir 3.3 - Denial of Service (PoC)"doslinuxhieubl
2020-01-10"ASTPP 4.0.1 VoIP Billing - Database Backup Download"webappslinux"Fabien AUNAY"
2020-01-08"ASTPP VoIP 4.0.1 - Remote Code Execution"remotelinux"Fabien AUNAY"
2019-12-30"Reptile Rootkit - reptile_cmd Privilege Escalation (Metasploit)"locallinuxMetasploit
2019-12-18"OpenMRS - Java Deserialization RCE (Metasploit)"remotelinuxMetasploit
2019-12-16"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds"locallinux"Google Security Research"
Release DateTitleTypePlatformAuthor
2019-11-21"GNU Mailutils 3.7 - Privilege Escalation"locallinux"Mike Gualtieri"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47703/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse