Vulnerabilities found in the Qmail mail transport agent allows RCE
Qmail is a mail transfer agent (MTA) that runs on Unix. It was written, starting December 1995, by Daniel J. Bernstein as a more secure replacement for the popular Sendmail program. Originally license-free software, qmail’s source code was later dedicated to the public domain by the author.
In 2005 a cybersecurity expert found 3 vulnerabilities in the Qmail (CVE-2005-1513, CVE-2005-1514, CVE-2005-1515) could not be exploited in a default Qmail installation as “the memory consumption of each qmail-smtpd process is severely limited by default”, so they were never addressed.
Now after almost one and a half-decade, the Qualys researches decided to test the qmail’s security again. After the testing, the researchers found that the 3 vulnerabilities discovered earlier also affect the qmail-local process, which is reachable remotely and is not memory-limited by default, ergo the flaws can be exploited.
We investigated many qmail packages, and *all* of them limit qmail-smtpd’s memory, but *none* of them limits qmail-local’s memory. As a proof of concept, we developed a reliable, local and remote exploit [for CVE-2005-1513]against Debian’s qmail package in its default configuration. This proof of concept requires 4GB of disk space and 8GB of memory, and allows an attacker to execute arbitrary shell commands as any user, except root (and a few system users who do not own their home directory).
the researchers said
The last stable update released by qmail was v1.03, since then it is vulnerable. An updated version (v1.50) of qmail-verify with the issues fixed is available for download said qmail.