CVE-2008-2936

Postfix < 2.3.15, 2.4 < 2.4.8, 2.5 < 2.5.4, 2.6 < 2.6-20080814 - Arbitrary File Write via Hard Link to Symlink

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-2936. PoCs published by RoMaNSoFt.

AI-analyzed exploit summary This exploit leverages a race condition in Postfix (CVE-2008-2936) to create a hardlink to a symlink, allowing an attacker to append arbitrary data to root-owned files (e.g., /etc/passwd) for local privilege escalation.

Description

Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.

Exploits (1)

exploitdb WORKING POC VERIFIED

by RoMaNSoFt · bashlocallinux

https://www.exploit-db.com/exploits/6337

View Code ZIP pw:eip

This exploit leverages a race condition in Postfix (CVE-2008-2936) to create a hardlink to a symlink, allowing an attacker to append arbitrary data to root-owned files (e.g., /etc/passwd) for local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Postfix (versions affected by CVE-2008-2936)

No auth needed

Prerequisites: Postfix installed · Writable /var/mail directory · Hardlink to symlink not dereferenced by the system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (33)

Core 33

Core References

Vendor Advisory vendor-advisory x_refsource_fedora

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html

Various Sources x_refsource_confirm

ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.3.15.HISTORY

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/32231

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31469

Various Sources x_refsource_confirm

ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORY

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2008/dsa-1629

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31530

Vendor Advisory vendor-advisory x_refsource_fedora

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html

Issue Tracking x_refsource_confirm

https://issues.rpath.com/browse/RPL-2689

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1020700

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/495632/100/0/threaded

US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/938323

Various Sources mailing-list x_refsource_mlist

http://article.gmane.org/gmane.mail.postfix.announce/110

Third Party Advisory third-party-advisory x_refsource_sreason

http://securityreason.com/securityalert/4160

Patch vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/30691

Third Party Advisory x_refsource_confirm

http://wiki.rpath.com/Advisories:rPSA-2008-0259

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31474

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/495882/100/0/threaded

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/44460

Various Sources x_refsource_confirm

ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.4.8.HISTORY

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/6337

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2008-0839.html

Various Sources x_refsource_confirm

ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORY

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31500

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10033

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31477

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31485

Vendor Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/636-1/

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDVSA-2008:171

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/495474/100/0/threaded

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/2385

Third Party Advisory vendor-advisory x_refsource_gentoo

http://security.gentoo.org/glsa/glsa-200808-12.xml

Scores

EPSS 0.0100

EPSS Percentile 58.3%

Details

CWE

CWE-264

Status published

Products (28)

postfix/postfix 2.3.0

postfix/postfix 2.3.1

postfix/postfix 2.3.2

postfix/postfix 2.3.3

postfix/postfix 2.3.4

postfix/postfix 2.3.5

postfix/postfix 2.3.6

postfix/postfix 2.3.7

postfix/postfix 2.3.8

postfix/postfix 2.3.9

... and 18 more

Published Aug 18, 2008

Tracked Since Feb 18, 2026