[5132] in bugtraq

home help back first fref pref prev next nref lref last post

Re: popper and qpopper let you read email from other pop clients

daemon@ATHENA.MIT.EDU (Ian R. Justman)
Mon Aug 11 01:55:36 1997

Date: 	Fri, 8 Aug 1997 14:44:08 -0700
Reply-To: "Ian R. Justman" <ianj@CALWEB.COM>
From: "Ian R. Justman" <ianj@CALWEB.COM>
X-To:         dynamo@IME.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.BSI.3.95.970807205712.13715A-100000@ime.net>

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 7 Aug 1997 dynamo@IME.NET wrote:

> Some versions of popper and qpopper from qualcomm allow you to read
> other peoples email.  There are quite a few situations in which you
> need your mail spool directory chmodded 1777.  If you have local users
> on a machine with the mail spool directory, they can create symbolic
> links from the temporary pop drop box to a file that they can read.
>
> See if youre vulnerable:

<Details of exploit deleted>

> Apparently it is fixed in the newest version.

Here's what I did when I tried this on my personal system at home which
runs QPOPPER 2.2:

/tmp$ telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK QPOP (version 2.2) at (zang!) starting.  <2104.871076037@(plink!)>
user (poof!)
+OK Password required for (zap!).
pass (boink!)
- -ERR Your temporary drop file /usr/spool/mail/.(blink!).pop is not type 'regular file'

Even version 2.2 of qpopper is smart enough to know the difference between
a regular file and a symbolic link.

- --Ian.

- ---
Ian R. Justman (ianj@calweb.com)

Finger ianj@calweb.com for my public PGP key.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQEVAwUBM+uTLkyc+bfQRhUBAQF3Cwf/WxHBunYU0OCyyMVSClUVq9lV8bDkijqk
EfvcQF1wbEAcm+f4d7FnF55Q6QZlyXYejRYwy0ocro+erE9DHWfqj7lQJ9OTReKq
1I+vPXbx6y15bfAo7pwwW/G8XZFXiLs3cRXw9K0znMoFvRbJezrgCMrC/3O41glP
SvBU3OhDNtuV1RMcRR8gsBnkWtqKQG53WVvNhf/wSvVxhChL4MQADlFTkosS43il
jmJ7rPYxV/jxDV/jMS40iFM7yjtIQv7RrwmQDpVI5PHjxHHaZiJkDUqZUTWwidBG
3KyW+DYPNRDkqnmPwpJKBytOh3UhMpXc0a/euBPO7VhzVB53cSI01A==
=p1SE
-----END PGP SIGNATURE-----
home help back first fref pref prev next nref lref last post