A note to bug hunters: There is still low hanging fruit out there, even among popular software packages.
I recently discovered a Linux (and UNIX-like) privilege escalation flaw dating back over 10 years in GNU Mailutils, a popular package self-described as "a swiss army knife of electronic mail handling." The utility maidag, shipped with Mailutils until version 3.7, by default runs as setuid root. The unsafe behavior was found via the --url parameter, which can be abused to write to arbitrary files on the system.
The simplicity of the exploit (detailed in the vulnerability disclosure below) highlights that some flaws slip through the cracks, even after many years. The utility attracted my eye one morning when I was a little bored with my regular work tasks and decided to review some setuid utilities running on my system to see if any interesting options could be abused. The result was a root shell in about 30 minutes after I honed in on maidag.
Although the flaw (now tracked as CVE-2019-18862) is trivial to exploit, one reason it might have not been found for some time is that several Linux distros (but not all) remove the suid bit upon installation of maidag, limiting the wide-spread impact.
My experience working with Sergey Poznyakoff, the lead developer of mailutils, was outstanding. Within 24 hours of reporting the flaw he had confirmed the issue, and two days later had a fix available in the project's repo. This is a speed that I've never experienced when reporting flaws to commercial vendors. Free/Libre Open Source Software for the win!
A disclosure about the flaw and exploit follow. Direct link to disclosure: GNU-Mailutils-VulnerabilityDisclosure-Nov19.txt
Title : GNU Mailutils / Maidag Local Privilege Escalation Author : Mike Gualtieri :: https://www.mike-gualtieri.com Date : 2019-11-06 Updated : 2019-11-20 Vendor Affected: GNU Mailutils :: https://mailutils.org/ Versions Affected: 2.0 - 3.7 CVE Designator: CVE-2019-18862 1. Overview The --url parameter included in the GNU Mailutils maidag utility (versions 2.0 through 3.7) can abused to write to arbitrary files on the host operating system. By default, maidag is set to execute with setuid root permissions, which can lead to local privilege escalation through code/command execution by writing to the system's crontab or by writing to other root owned files on the operating system. 2. Detail As described by the project's homepage, "GNU Mailutils is a swiss army knife of electronic mail handling. It offers a rich set of utilities and daemons for processing e-mail". Maidag, a mail delivery agent utility included in the suite, is by default marked to execute with setuid (suid) root permissions. The --url parameter of maidag can be abused to write to arbitrary files on the operating system. Abusing this option while the binary is marked with suid permissions allows a low privileged user to write to arbitrary files on the system as root. Writing to the crontab, for example, may lead to a root shell. The flaw itself appears to date back to the 2008-10-19 commit, when the --url parameter was introduced to maidag. 11637b0f - New maidag mode: --url https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=11637b0f262db62b4dc466cefb9315098a1a995a maidag/Makefile.am: chmod 4755 $(DESTDIR)$(sbindir)/$$i;\ The following payload will execute arbitrary commands as root and works with versions of maidag, through version 3.7. maidag --url /etc/crontab < /tmp/crontab.in The file /tmp/crontab.in would contain a payload like the following. line 1: line 2: */1 * * * * root /tmp/payload.sh Please note: For the input to be accepted by maidag, the first line of the file must be blank or be commented. In the above example, the file /tmp/payload.sh would include arbitrary commands to execute as root. Older versions of GNU Mailutils (2.2 and previous) require a different syntax: maidag --url 'mbox://user@localhost //etc/crontab' < /tmp/crontab.in 3. Solution A fix for the flaw has been made in GNU Mailutils 3.8, which removes the maidag utility, and includes three new utilities that replace its functionality. Details about the new features can be found in the project's release notes: https://git.savannah.gnu.org/cgit/mailutils.git/tree/NEWS Another workaround for those unable to upgrade, is to remove the suid bit on /usr/sbin/maidag (e.g. `chmod u-s /usr/sbin/maidag`). It should be noted that some Linux distributions already remove the suid bit from maidag by default, nullifying this privilege escalation flaw. Another patch has been made available by Sergey Poznyakoff and posted to the GNU Mailutils mailing list, which removes the setuid bit for maidag in all but required cases. The patch is intended for users who can not yet upgrade to mailutils 3.8. The patch has also been made available here: https://www.mike-gualtieri.com/files/maidag-dropsetuid.patch 4. Additional Comments This vulnerability disclosure was submitted to MITRE Corporation for inclusion in the Common Vulnerabilities and Exposures (CVE) database. The designator CVE-2019-18862 has been assigned. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18862 https://nvd.nist.gov/vuln/detail/CVE-2019-18862 The NIST National Vulnerability Database (NVD) has assigned the following ratings: CVSS 3.x Severity and Metrics: Base Score: 7.8 HIGH CVSS 2.0 Severity and Metrics: Base Score: 4.6 MEDIUM This disclosure will be updated as new information becomes available. 5. History 2019-10-09 Informed Sergey Poznyakoff
of security issue 2019-10-10 Reply from Sergey acknowledging the issue 2019-10-12 Fix available in the GNU Mailutils git repository: 739c6ee5 - Split maidag into three single-purpose tools https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=739c6ee525a4f7bb76b8fe2bd75e81a122764ced 2019-11-06 GNU Mailutils Version 3.8 released to close the issue 2019-11-06 Submission of this vulnerability disclosure to MITRE Corporate to obtain a CVE designator 2019-11-07 Patch offered by Sergey for those unable to upgrade to version 3.8 2019-11-11 CVE-2019-18862 assigned to flaw 2019-11-20 Vulnerability disclosure made publicly available
Posted: Nov 20, 2019
Keyword tags: securityinfosecvulnerability disclosureprivilege escalationlinux