<<< Date Index >>>     <<< Thread Index >>>

Local root compromise possible with getmail



The following vulnerabilities apply to all releases of getmail prior to 3.2.5, 
and all version 4 releases prior to 4.2.0. They do not apply where getmail is 
run as an unprivileged user, or where an unprivileged external MDA is used 
for the final delivery of mail. They are not exploitable remotely.

Although it is not the recommended mode of operation, by being run as root, 
getmail is able give users ownership of the files containing their new mail. 
However, the built-in mail delivery code was not suitable for use as root in 
the presence of hostile local users. It had the following vulnerabilities:

Mbox delivery (version 4 releases prior to 4.2.0):

Attacker replacing an mbox file with a symbolic link can have mail delivered 
(as root) into a new mbox file with a name and path of their choosing. 
Successful exploitation of a race condition allows existing files to be 
overwritten. The files are given 600 permissions and the same owner/group
as the directory containing the mbox delivery point.

Maildir delivery (version 4 releases prior to 4.2.0, all releases prior to 
3.2.5):

Attacker replacing subdirectories of a maildir with suitable symbolic links 
can have mail delivered into an arbitrary directory. Filenames cannot be 
chosen by the attacker, but successful exploitation of a race condition can 
allow arbitrary file contents to be substituted for mail. The files are given 
600 permissions and the same owner/group as the maildir.

Both sets of vulnerabilities may be exploited to have arbitrary commands 
executed as root.

Workaround:

Do not run getmail as a privileged user; or, in version 4, use an external MDA 
with explicitly configured user and group privileges.

Fix:

Versions 3.2.5 and 4.2.0 are now available at:

http://www.qcc.ca/~charlesc/software/getmail-4/

Version 3.2.5 just enforces the workaround. Version 4.2.0 solves the problem 
by dropping privileges to those of an explicitly configured user before 
delivering mail, as was already done for delivery by external MDAs.

Note: version 4 releases require Python 2.3.3 or later. Python 2.3.x can be 
installed alongside an earlier version if required; see the README file in 
the latest source tarball, available at http://www.python.org. Once 
installed, getmail will use whichever version was initially used to run its 
setup script.