Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 16 Jun 2020 14:24:16 -0700
From: Qualys Security Advisory <>
Subject: Re: Remote Code Execution in qmail (CVE-2005-1513)

Hi all,

Our Linux exploit for CVE-2005-1513 in qmail is attached to this email.
Alternatively, it will be available at:

A few notes about this exploit:

- It works as-is against a default, unpatched installation of qmail on
  Debian 10 (amd64). It requires roughly 4GB of disk space and 8GB of
  memory on the target machine, and creates a file in /tmp when

- It can be ported to other Linux distributions (if the qmail-local
  binary is not full-RELRO) by modifying the lines marked with XXX in
  the exploit code.

- To obtain the mmap layout described in our advisory, the exploit
  simulates the qmail-local program, and must therefore be executed on
  the same type of Linux distribution as the target. For example, in our
  tests, we executed the exploit on a Debian 10.0 machine and remotely
  attacked a Debian 10.3 machine.

  The exploit parameters can probably be calculated without the
  qmail-local simulation, and can certainly be precalculated, but we
  wanted to keep our exploit as general as possible.

For the local exploit (LPE), there are only two command-line arguments:

- "user": the name of the target user (on a default Debian installation,
  this can be "man", "root", "avahi-autoipd", or any real user account).

- "domain": by default, the hostname in "/var/lib/qmail/control/me".

For the command line of the remote exploit (RCE), there are three
mandatory options, three arguments, and one optional option:

- "-i client_ip": the IP address of the attacking machine, as seen by
  the target machine.

- "-h client_host": the hostname of the attacking machine (if it has no
  reverse DNS, the empty string can be specified, and the exploit will
  use qmail's default, "unknown").

- "-s server_host": the hostname of the target machine (by default, the
  same as the "domain" below).

- "user": the name of the target user.

- "domain": by default, the hostname in "/var/lib/qmail/control/me" on
  the target machine (and hence the hostname in qmail's SMTP banner).

- "server_ip": the IP address of the target machine.

- "-d homedir": the home directory of the target user, if known
  (otherwise, the exploit uses a reasonable default).

We are at your disposal for questions, comments, and further
discussions. Thank you very much!

With best regards,

the Qualys Security Advisory team


This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.

Download attachment "CVE-2005-1513.tar.gz" of type "application/gzip" (68009 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.