The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security problem with Qualcomm qpopper 2.2, 2.4, 2.4beta1

To: qpopper@qualcomm.com
Subject: Security problem with Qualcomm qpopper 2.2, 2.4, 2.4beta1
From: Jyrki Kuoppala <jkp@kaapeli.fi>
Date: Fri, 5 Dec 1997 21:06:00 +0200
Cc: security@debian.org, security@redhat.com, redhat@redhat.com
Delivered-to: security@debian.org
Organization: Kaapelisolmu, Cable Factory, Helsinki, Finland
Resent-cc: recipient list not shown: ;
Resent-date: 5 Dec 1997 19:00:51 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"S4IUU.A.54F.j9Ei0"@debian>
Resent-sender: debian-private-request@lists.debian.org

There is a security problem with qpopper on systems where people have
Unix accounts and mail spool has following protections:

drwxrwsrwt   5 root     mail        38912 Dec  5 20:27 /var/spool/mail/
-rw-rw----   1 user1    mail      1182573 Dec  3 00:41 user1
-rw-rw----   1 user2    mail         6403 Dec  4 20:00 user2
-rw-------   1 user3	mail         8865 Dec  4 17:01 user3

ie. directory writable by everyone (even with sticky bit), and at
least some of the mailboxes readable and/or writable by group.

Someone can remove their own incoming mailbox file, then hardlink
someone else's group-readable mailbox file (ie. user1 or user2, or
root) to their own mail file (account name), and then connect to
qpopper to read and delete user1's or root's mail.

Suggested fix: remove #define BINMAIL_IS_SETGID 1 from popper.h.

Alternatively, check that the owner of the mailbox matches the pop
user.

I'm not sure which systems use the above modes for mail files.  Ours
is originally RedHat Linux, later updated to be mostly Debian, and
uses sendmail+procmail for mail delivery.  Procmail appears to create
mail boxes with group read+write by default, but if the user's mail
program changes modes to just the user, procmail doesn't change the
modes.  Thus the mixed modes.

Below, there are two messages from the Bugtraq mailing list which
prompted me to investigate the issue.

//Jyrki

Jyrki Kuoppala, jkp@kaapeli.fi, tel. + 358 9 694 7730, fax + 358 9 270 90 369
Katto-Meny OK, Helsinki, http://www.kaapeli.fi/ mobile + 358 40 5452608

Message-ID:  <Pine.BSI.3.95.970807205712.13715A-100000@ime.net>
Date:         Thu, 7 Aug 1997 21:04:47 -0400
Reply-To: dynamo@IME.NET
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: dynamo@IME.NET
Subject:      popper and qpopper let you read email from other pop clients
To: BUGTRAQ@NETSPACE.ORG

when i found this, i checked the archive to see if anyone else had found
this, and it didnt look like it.. if its a repost of ideas, sorry.

Some versions of popper and qpopper from qualcomm allow you to read
other peoples email.  There are quite a few situations in which you
need your mail spool directory chmodded 1777.  If you have local users
on a machine with the mail spool directory, they can create symbolic
links from the temporary pop drop box to a file that they can read.

See if youre vulnerable:

        1) touch /tmp/lumpy; chmod 777 /tmp/lumpy
        2) ln -s /tmp/lumpy /var/mail/.luser.pop
        3) wait for them to check their email.
        4) while they are reading it from the pop
           server, look at the file in the tmp dir.

Apparently it is fixed in the newest version.

dynamo

Message-ID:  <Pine.BSF.3.95q.970808143615.25450A-100000@web2.calweb.com>
Date:         Fri, 8 Aug 1997 14:44:08 -0700
Reply-To: "Ian R. Justman" <ianj@CALWEB.COM>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Ian R. Justman" <ianj@CALWEB.COM>
Subject:      Re: popper and qpopper let you read email from other pop clients
X-To:         dynamo@IME.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.BSI.3.95.970807205712.13715A-100000@ime.net>

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 7 Aug 1997 dynamo@IME.NET wrote:

> Some versions of popper and qpopper from qualcomm allow you to read
> other peoples email.  There are quite a few situations in which you
> need your mail spool directory chmodded 1777.  If you have local users
> on a machine with the mail spool directory, they can create symbolic
> links from the temporary pop drop box to a file that they can read.
>
> See if youre vulnerable:

<Details of exploit deleted>

> Apparently it is fixed in the newest version.

Here's what I did when I tried this on my personal system at home which
runs QPOPPER 2.2:

/tmp$ telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK QPOP (version 2.2) at (zang!) starting.  <2104.871076037@(plink!)>
user (poof!)
+OK Password required for (zap!).
pass (boink!)
- -ERR Your temporary drop file /usr/spool/mail/.(blink!).pop is not type 'regular file'

Even version 2.2 of qpopper is smart enough to know the difference between
a regular file and a symbolic link.

- --Ian.

- ---
Ian R. Justman (ianj@calweb.com)

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Follow-Ups:
- Re: Security problem with Qualcomm qpopper 2.2, 2.4, 2.4beta1
  - From: "Eloy A. Paris" <eparis@ven.ra.rockwell.com>
- Re: Security problem with Qualcomm qpopper 2.2, 2.4, 2.4beta1
  - From: Guy Maor <maor@ece.utexas.edu>

Prev by Date: Re: Withdrawing (temporarily) from the debian project
Next by Date: Re: I'm back
Previous by thread: on logos
Next by thread: Re: Security problem with Qualcomm qpopper 2.2, 2.4, 2.4beta1
Index(es):
- Date
- Thread