Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: popper and qpopper let you read email from other pop clients
From: marcs () ZNEP COM (Marc Slemko)
Date: Mon, 11 Aug 1997 00:59:28 -0600


On Fri, 8 Aug 1997, Ian R. Justman wrote:

Here's what I did when I tried this on my personal system at home which
runs QPOPPER 2.2:

/tmp$ telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK QPOP (version 2.2) at (zang!) starting.  <2104.871076037@(plink!)>
user (poof!)
+OK Password required for (zap!).
pass (boink!)
- -ERR Your temporary drop file /usr/spool/mail/.(blink!).pop is not type 'regular file'

Even version 2.2 of qpopper is smart enough to know the difference between
a regular file and a symbolic link.

Looks like there is a race condition in there.  It opens the file, does
some fstat()s on it to check a few things, then does:

#if defined(S_ISREG)
    /* Make sure the file is not a symbolic link reference */
    lstat(p->temp_drop, &mybuf);
    if (!S_ISREG(mybuf.st_mode)) {
        close(dfd);
        return pop_msg(p, POP_FAILURE,
        "Your temporary drop file %s is not type 'regular file'", p->temp_drop);
    }
#endif

All you need is a (rm .user.pop; touch .user.pop) after the open but
before the lstat to get around that check.

This code is from v2.4b2.  I'm not sure how this helps you do anything
though, since you are running setuid() to the user at that point; if a
user can read other user's mailboxes normally, I wouldn't be blaming
qpopper.

I guess that perhaps at one point this part of the code ran as root.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]