Summary
Attackers who achieved Arbitrary Code Execution as the stalwart-mail user (including web interface admins) can gain complete root access to the system.
Details
Usually, system services are run as a separate user (not as root) to isolate an attacker with Arbitrary Code Execution to the current service. Therefore, other system services and the system itself remains protected in case of a successful attack. stalwart-mail runs as a separate user, but it can give itself full privileges again in a simple way, so this protection is practically ineffective. Actually, it is so simple, there is even a web admin GUI to do this:
PoC
- Modify the configuration to run stalwart-mail as root (either via overwriting the file as the local stalwart-mail user, or over the network using the admin interface needing admin credentials)
- Run arbitrary commands as root by configuring them as pipe filter and triggering these filters (technically, not part of the privilege escalation; untested)
Impact
- Server admins who handed out the admin credentials to the mail server, but didn't want to hand out complete root access to the system.
- Any attacked user when the attackers gained Arbitrary Code Execution using another vulnerability.
lukaslihotzki Reporter
Summary
Attackers who achieved Arbitrary Code Execution as the stalwart-mail user (including web interface admins) can gain complete root access to the system.
Details
Usually, system services are run as a separate user (not as root) to isolate an attacker with Arbitrary Code Execution to the current service. Therefore, other system services and the system itself remains protected in case of a successful attack. stalwart-mail runs as a separate user, but it can give itself full privileges again in a simple way, so this protection is practically ineffective. Actually, it is so simple, there is even a web admin GUI to do this:
PoC
Impact