[8324] in bugtraq
Re: Another nice tmp race
daemon@ATHENA.MIT.EDU (Patrick J. Volkerding)
Wed Oct 28 14:28:37 1998
Date: Tue, 27 Oct 1998 16:23:43 -0600
Reply-To: "Patrick J. Volkerding" <gonzo@RRNET.COM>
From: "Patrick J. Volkerding" <gonzo@RRNET.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.981021100330.11440A-100000@ns.art.ro>
On Wed, 21 Oct 1998, Stefan Laudat wrote:
> Playing with my new shiny Slackware 3.5 box I have noticed
> something unusual. The in.pop3d daemon creates sometimes locks for some
> mailboxes in /usr/tmp/.pop. The directory is drwxrwxrwt so there will be
> no problem in creating nice links to /zImage, /vmlinuz, /etc/shadow or
> whatever comes in your head. Be creative.
As a test, I created this link logged in as a non-root user:
/var/tmp/.pop/root -> /vmlinuz
Here's the result when root tries to pop mail:
+OK darkstar POP3 Server (Version 1.005l) ready at <Tue Oct 27 16:17:07
1998>
user root
+OK please send PASS command
pass password
-ERR being read already /usr/spool/mail/root
quit
+OK darkstar POP3 Server (Version 1.005l) shutdown.
/vmlinuz was unchanged after this test. Conclusion: while the locking
system used by in.pop3d may look suspect at first glance, it does not
appear to be vulnerable.
---
Patrick J. Volkerding
Slackware Linux maintainer
