[Mimedefang] Privilege escalation via PID file manipulation

Michael Orlitzky michael at orlitzky.com
Thu Aug 31 11:38:25 EDT 2017


On 08/31/2017 11:24 AM, Dianne Skoll wrote:
> Here's a patch that should apply against MIMEDefang 2.80.

Wow, that was fast, thanks.


> Again, I cannot see any way to completely close this hole as long as
> we're holding an fcnrtl(F_SETLCK)-style lock, since the descriptor
> must be kept open.  I do as much as I can to mitigate this by
> destroying the variable containing the fd, but an attacker could
> pretty quickly discover which fd is pointing to the lock file.

You'll have to forgive the stupid question since I'm not a regular user
of MIMEDefang, but what's the purpose of the file lock? Is it to prevent
multiple daemons from running at the same time when they're not managed
by an init system?


> Since an exploit requires compromising the daemon, I would say this
> is not a super-urgent problem.

Agreed there, thanks again for the quick fix.



More information about the MIMEDefang mailing list