Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Another nice tmp race
From: gonzo () RRNET COM (Patrick J. Volkerding)
Date: Tue, 27 Oct 1998 16:23:43 -0600

On Wed, 21 Oct 1998, Stefan Laudat wrote:
        Playing with my new shiny Slackware 3.5 box I have noticed
something unusual. The in.pop3d daemon creates sometimes locks for some
mailboxes in /usr/tmp/.pop. The directory is  drwxrwxrwt so there will be
no problem in creating nice links to /zImage, /vmlinuz, /etc/shadow or
whatever comes in your head. Be creative.

As a test, I created this link logged in as a non-root user:

/var/tmp/.pop/root -> /vmlinuz

Here's the result when root tries to pop mail:

+OK darkstar POP3 Server (Version 1.005l) ready at <Tue Oct 27 16:17:07
user root
+OK please send PASS command
pass password
-ERR being read already /usr/spool/mail/root
+OK darkstar POP3 Server (Version 1.005l) shutdown.

/vmlinuz was unchanged after this test.  Conclusion:  while the locking
system used by in.pop3d may look suspect at first glance, it does not
appear to be vulnerable.

Patrick J. Volkerding
Slackware Linux maintainer

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]