Vulnerability in Qmail mail transport agent allows RCE

Qualys researchers have found a way to exploit an previously known (and very old) vulnerability in Qmail, a secure mail transport agent, to achieve both remote code execution (RCE) and local code execution.

The Qmail RCE flaw and other vulnerabilities

In 2005, security researcher Georgi Guninski unearthed three vulnerabilities in Qmail, which – due to its simplicity, mutually untrusting modules and other specific development choices made by its creator Daniel J. Bernstein – is still widely regarded as one of the most secure pieces of software out there.

At the time Bernstein pointed out that the vulnerabilities (CVE-2005-1513, CVE-2005-1514, CVE-2005-1515) could not be exploited in a default Qmail installation as “the memory consumption of each qmail-smtpd process is severely limited by default”, so they were never addressed.

But Qualys researchers recently decided to audit the security of the software again, and discovered that the three vulnerabilities also affect the qmail-local process, which is reachable remotely and is not memory-limited by default, ergo the flaws can be exploited.

“We investigated many qmail packages, and *all* of them limit qmail-smtpd’s memory, but *none* of them limits qmail-local’s memory,” they added.

“As a proof of concept, we developed a reliable, local and remote exploit [for CVE-2005-1513] against Debian’s qmail package in its default configuration. This proof of concept requires 4GB of disk space and 8GB of memory, and allows an attacker to execute arbitrary shell commands as any user, except root (and a few system users who do not own their home directory).”

They said they will publish their PoC exploit in the near future.

The’ve also unearthed two vulnerabilities in qmail-verify, a third-party qmail patch that is not part of Qmail but is included in Debian’s qmail package and other Qmail forks: a mail-address verification bypass (CVE-2020-3811) and a local information disclosure bug (CVE-2020-3812).

What now?

Bernstein stopped developing Qmail in 1998. The last stable release of the software is v1.03.

Since then, it has been forked (s/qmail, netqmail, notqmail) and “patched” (third-party “patches” added new features to it), and implemented in third-party platforms.

Bernstein told Qualys that he runs each qmail service with a low memory limit and recommends the same for other installations. This limit can be configured in the the startup scripts of all qmail services and foils the exploitation of all the flaws discovered in 2005 by Guninski.

Qualys wrote a patch for Debian’s qmail package that fixes the qmail-verify issues and all three 2005 CVEs in Qmail – the latter by hard-coding a safe, upper memory limit in the alloc() function.

An updated version (v1.50) of qmail-verify with the issues fixed is available for download and, according to Qualys, “the developers of notqmail have written their own patches for the three 2005 CVEs and have started to systematically fix all integer overflows and signedness errors in qmail.”