[5140] in bugtraq
Re: popper and qpopper let you read email from other pop clients
daemon@ATHENA.MIT.EDU (Marc Slemko)
Tue Aug 12 01:21:42 1997
Date: Mon, 11 Aug 1997 00:59:28 -0600
Reply-To: Marc Slemko <marcs@ZNEP.COM>
From: Marc Slemko <marcs@ZNEP.COM>
X-To: "Ian R. Justman" <ianj@CALWEB.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.95q.970808143615.25450A-100000@web2.calweb.com>
On Fri, 8 Aug 1997, Ian R. Justman wrote:
> Here's what I did when I tried this on my personal system at home which
> runs QPOPPER 2.2:
>
> /tmp$ telnet localhost 110
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> +OK QPOP (version 2.2) at (zang!) starting. <2104.871076037@(plink!)>
> user (poof!)
> +OK Password required for (zap!).
> pass (boink!)
> - -ERR Your temporary drop file /usr/spool/mail/.(blink!).pop is not type 'regular file'
>
> Even version 2.2 of qpopper is smart enough to know the difference between
> a regular file and a symbolic link.
Looks like there is a race condition in there. It opens the file, does
some fstat()s on it to check a few things, then does:
#if defined(S_ISREG)
/* Make sure the file is not a symbolic link reference */
lstat(p->temp_drop, &mybuf);
if (!S_ISREG(mybuf.st_mode)) {
close(dfd);
return pop_msg(p, POP_FAILURE,
"Your temporary drop file %s is not type 'regular file'", p->temp_drop);
}
#endif
All you need is a (rm .user.pop; touch .user.pop) after the open but
before the lstat to get around that check.
This code is from v2.4b2. I'm not sure how this helps you do anything
though, since you are running setuid() to the user at that point; if a
user can read other user's mailboxes normally, I wouldn't be blaming
qpopper.
I guess that perhaps at one point this part of the code ran as root.
