Vulnerabilities > CVE-2005-2655 - Unspecified vulnerability in Maildrop

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

maildrop

critical

nessus

NVD

Published: 2005-08-30

Updated: 2008-09-05

Summary

lockmail in maildrop before 1.5.3 does not drop privileges before executing commands, which allows local users to gain privileges via command line arguments.

Vulnerable Configurations

Part	Description	Count
Application	Maildrop Maildrop Maildrop 0.50 Maildrop Maildrop 0.51 Maildrop Maildrop 0.51B Maildrop Maildrop 0.51C Maildrop Maildrop 0.54 Maildrop Maildrop 0.54A Maildrop Maildrop 0.54B Maildrop Maildrop 0.55 Maildrop Maildrop 0.55A Maildrop Maildrop 0.55B Maildrop Maildrop 0.55C Maildrop Maildrop 0.60 Maildrop Maildrop 0.61 Maildrop Maildrop 0.62 Maildrop Maildrop 0.63 Maildrop Maildrop 0.64 Maildrop Maildrop 0.65 Maildrop Maildrop 0.70 Maildrop Maildrop 0.71 Maildrop Maildrop 0.72 Maildrop Maildrop 0.73 Maildrop Maildrop 0.74 Maildrop Maildrop 0.75 Maildrop Maildrop 0.76 Maildrop Maildrop 0.99.1 Maildrop Maildrop 0.99.2 Maildrop Maildrop 1.0 Maildrop Maildrop 1.1 Maildrop Maildrop 1.2 Maildrop Maildrop 1.2.1 Maildrop Maildrop 1.2.2 Maildrop Maildrop 1.3.0 Maildrop Maildrop 1.3.1 Maildrop Maildrop 1.3.3 Maildrop Maildrop 1.3.4 Maildrop Maildrop 1.3.5 Maildrop Maildrop 1.3.6 Maildrop Maildrop 1.3.7 Maildrop Maildrop 1.3.8 Maildrop Maildrop 1.3.9 Maildrop Maildrop 1.4.0 Maildrop Maildrop 1.5.0 Maildrop Maildrop 1.5.1 Maildrop Maildrop 1.5.2	44

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-791.NASL
description	Max Vozeler discovered that the lockmail program from maildrop, a simple mail delivery agent with filtering abilities, does not drop group privileges before executing commands given on the commandline, allowing an attacker to execute arbitrary commands with privileges of the group mail.
last seen	2020-06-01
modified	2020-06-02
plugin id	19561
published	2005-09-06
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19561
title	Debian DSA-791-1 : maildrop - missing privilege release
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-791. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19561); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-2655"); script_xref(name:"DSA", value:"791"); script_name(english:"Debian DSA-791-1 : maildrop - missing privilege release"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Max Vozeler discovered that the lockmail program from maildrop, a simple mail delivery agent with filtering abilities, does not drop group privileges before executing commands given on the commandline, allowing an attacker to execute arbitrary commands with privileges of the group mail." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325135" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-791" ); script_set_attribute( attribute:"solution", value: "Upgrade the maildrop package. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 1.5.3-1.1sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:maildrop"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/08/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/06"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"maildrop", reference:"1.5.3-1.1sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

References

http://www.debian.org/security/2005/dsa-791