Exim4 spool directory symlink local root escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
exim4 (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Exim4 follows symlinks in various operations in /var/spool/exim4. By placing crafted symlinks, escalation from user "Debian-exim" to "root" is possible.
See http://
# pwd
/var/spool/exim4
# /usr/bin/id
uid=106(
# gcc -fPIC -shared -Xlinker -init=_libInit -Xlinker '--soname=
# ./EximUpgrade --Upgrade
Relinked /var/spool/
Target ready for writing
uid=0(root) gid=0(root) groups=
# ...
$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
$ apt-cache policy exim4-daemon-light
exim4-daemon-light:
Installed: 4.86.2-2ubuntu2
Candidate: 4.86.2-2ubuntu2
Version table:
*** 4.86.2-2ubuntu2 500
500 http://
100 /var/lib/
CVE References
information type: | Private Security → Public Security |
Changed in exim4 (Ubuntu): | |
status: | New → Confirmed |
Changed in exim4 (Ubuntu): | |
importance: | Undecided → Critical |
Exim 4.88 changelog: www.halfdog. net/ for
JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(