Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Another nice tmp race
From: gonzo () RRNET COM (Patrick J. Volkerding)
Date: Tue, 27 Oct 1998 16:23:43 -0600


On Wed, 21 Oct 1998, Stefan Laudat wrote:
        Playing with my new shiny Slackware 3.5 box I have noticed
something unusual. The in.pop3d daemon creates sometimes locks for some
mailboxes in /usr/tmp/.pop. The directory is  drwxrwxrwt so there will be
no problem in creating nice links to /zImage, /vmlinuz, /etc/shadow or
whatever comes in your head. Be creative.

As a test, I created this link logged in as a non-root user:

/var/tmp/.pop/root -> /vmlinuz

Here's the result when root tries to pop mail:

+OK darkstar POP3 Server (Version 1.005l) ready at <Tue Oct 27 16:17:07
1998>
user root
+OK please send PASS command
pass password
-ERR being read already /usr/spool/mail/root
quit
+OK darkstar POP3 Server (Version 1.005l) shutdown.


/vmlinuz was unchanged after this test.  Conclusion:  while the locking
system used by in.pop3d may look suspect at first glance, it does not
appear to be vulnerable.


---
Patrick J. Volkerding
Slackware Linux maintainer



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault