Wednesday, August 13, 2008

postfix trickery

Eventually, after years of research, I was able to add postfix
to my personal list of the exceptional exploited programs (exexpro) }|-)

As of now, updates are already available. CVE-2008-2936 and CVE-2008-2937
have been assigned to this issue. My dear colleague Thomas will have sent an advisory out today
(writing this one day before the CRD).
So far, my exexpro list has grown to contain the following (random order):
Postfix, rsync, traceroute, modprobe/kernel, vixie crontab, suidperl, sudo, lpr, cups,
ppp, ippp, LIDS, hylafax, racoon to just name the more popular ones. Some of them appear multiple
times, some of them only affected BSD systems. The OpenBSD team was so kind to
offer me a poster for a local root exploit in ppp years ago. Additionally,
dozens of less popular programs appear on the list such as
imwheel, kreatecd, dip, wmcdplay various other K* programs etc. For all of them I wrote an exploit.
I am not able to provide exploits anymore due to the new law about this in Germany.
The exceptional exploited also contains weak implementations of secure protocols (SSL, SSH)
or weak protocols itself (CHAP) or absolutely uncommon exploits (see last posting for instance).

Lets hope that I can continue the trickery list in future and let the targets be smart and
popular. Only the minority of issues have been overflow or related bugs, BTW.

I hope you enjoy non-XSS related issues :-)


Anonymous said...

nice one! if i understand correctly, you need to have the mailbox directory world-writable.. does that still exist?

Anonymous said...

supporting broken system always sucked ;)

Anonymous said...

Yes, they do exist.