Bugtraq mailing list archives
Re: popper and qpopper let you read email from other pop clients
From: marcs () ZNEP COM (Marc Slemko)
Date: Mon, 11 Aug 1997 00:59:28 -0600
On Fri, 8 Aug 1997, Ian R. Justman wrote:
Here's what I did when I tried this on my personal system at home which runs QPOPPER 2.2: /tmp$ telnet localhost 110 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK QPOP (version 2.2) at (zang!) starting. <2104.871076037@(plink!)> user (poof!) +OK Password required for (zap!). pass (boink!) - -ERR Your temporary drop file /usr/spool/mail/.(blink!).pop is not type 'regular file' Even version 2.2 of qpopper is smart enough to know the difference between a regular file and a symbolic link.
Looks like there is a race condition in there. It opens the file, does some fstat()s on it to check a few things, then does: #if defined(S_ISREG) /* Make sure the file is not a symbolic link reference */ lstat(p->temp_drop, &mybuf); if (!S_ISREG(mybuf.st_mode)) { close(dfd); return pop_msg(p, POP_FAILURE, "Your temporary drop file %s is not type 'regular file'", p->temp_drop); } #endif All you need is a (rm .user.pop; touch .user.pop) after the open but before the lstat to get around that check. This code is from v2.4b2. I'm not sure how this helps you do anything though, since you are running setuid() to the user at that point; if a user can read other user's mailboxes normally, I wouldn't be blaming qpopper. I guess that perhaps at one point this part of the code ran as root.
Current thread:
- popper and qpopper let you read email from other pop clients dynamo () IME NET (Aug 07)
- Re: popper and qpopper let you read email from other pop clients Ian R. Justman (Aug 08)
- solaris ^[[1J reboot Tobias Oetiker (Aug 10)
- Re: solaris ^[[1J reboot Scott Moseman (Aug 11)
- Re: popper and qpopper let you read email from other pop clients Marc Slemko (Aug 10)
- dgux in.fingerd vulnerability George Imburgia (Aug 11)
- procfs patch (fwd) Alex (Aug 11)
- solaris ^[[1J reboot Tobias Oetiker (Aug 10)
- Getting around non-executable stack (and fix) Solar Designer (Aug 10)
- Re: popper and qpopper let you read email from other pop clients Ian R. Justman (Aug 08)