The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security problem with Qualcomm qpopper 2.2, 2.4, 2.4beta1

To: qpopper@qualcomm.com
Subject: Re: Security problem with Qualcomm qpopper 2.2, 2.4, 2.4beta1
From: Jyrki Kuoppala <jkp@kaapeli.fi>
Date: Sat, 13 Dec 1997 23:58:56 +0200
Cc: security@debian.org, security@redhat.com
Delivered-to: security@debian.org
Organization: Kaapelisolmu, Cable Factory, Helsinki, Finland
Resent-cc: recipient list not shown: ;
Resent-date: 14 Dec 1997 02:39:25 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"tdBifB.A.UVG.Xb0k0"@debian>
Resent-sender: debian-private-request@lists.debian.org

On Dec 5 I wrote:

>There is a security problem with qpopper on systems where people have
>Unix accounts and mail spool has following protections:
>
>drwxrwsrwt   5 root     mail        38912 Dec  5 20:27 /var/spool/mail/
>-rw-rw----   1 user1    mail      1182573 Dec  3 00:41 user1
>-rw-rw----   1 user2    mail         6403 Dec  4 20:00 user2
>-rw-------   1 user3	mail         8865 Dec  4 17:01 user3
>
>ie. directory writable by everyone (even with sticky bit), and at
>least some of the mailboxes readable and/or writable by group.
>
>Someone can remove their own incoming mailbox file, then hardlink
>someone else's group-readable mailbox file (ie. user1 or user2, or
>root) to their own mail file (account name), and then connect to
>qpopper to read and delete user1's or root's mail.
>
>Suggested fix: remove #define BINMAIL_IS_SETGID 1 from popper.h.

1. Addendum: the fix I proposed makes qpopper fail on systems where
mail spool is not world-writable but group writable.  A better
suggested fix: check at runtime whether /var/spool/mail is
world-writable, and only if it's not world-writable, add the mail
group to the groups (code currently conditional on BINMAIL_IS_SETGID).
See suggested diff below.

2. There still is a possible problem for only-group-writable mail spools
if the malicious user has somehow been able to create a hardlink or
symlink to someone else's group-read/writable mail.  To close this,
the owner of the mailbox should be checket to match the pop user.

3. Denial of service security problem: The code to check for the
temporary dropbox against symlinks and hardlinks opens up
world-writable mailspools to denial of service attacks; instead of an
error message, perhaps there should be an unlink and reopen of the
temporary dropbox.  No suggested fix for this, as I decided to make
mail-spool the Debian default group-writable.

diff -cr qpopper2.4.orig/pop_dropcopy.c qpopper2.4/pop_dropcopy.c
*** qpopper2.4.orig/pop_dropcopy.c	Fri Sep 12 23:23:02 1997
--- qpopper2.4/pop_dropcopy.c	Sat Dec 13 23:38:53 1997
***************
*** 794,807 ****
       * running as root.
       */

! #ifdef BINMAIL_IS_SETGID
! # if BINMAIL_IS_SETGID > 1
!     pwp->pw_gid = (gid_t)BINMAIL_IS_SETGID;
! # else
!     if (!stat(POP_MAILDIR, &mybuf))
  	pwp->pw_gid = mybuf.st_gid;
- # endif
- #endif

      /* Now we run as the user. */
      (void) setgid((GID_T)pwp->pw_gid);
--- 794,806 ----
       * running as root.
       */

!     /* If POP_MAILDIR is not world-writable, add the group of
!      * POP_MAILDIR be able to write there.  If world-writable,
!      * no need to set group; if we do, users can read other
!      * people's mail
!      */
!     if (!stat(POP_MAILDIR, &mybuf) && !(mybuf.st_mode & S_IWOTH))
  	pwp->pw_gid = mybuf.st_gid;

      /* Now we run as the user. */
      (void) setgid((GID_T)pwp->pw_gid);
***************
*** 836,842 ****
  	  "Your temporary file %s is accessable by others.  This must be fixed",
  	    p->temp_drop));
      }
!     /* Make sure the mailspool is not a hard link */
      if (mybuf.st_nlink != 1) {
  	close(dfd);
  	return(pop_msg(p, POP_FAILURE,
--- 835,841 ----
  	  "Your temporary file %s is accessable by others.  This must be fixed",
  	    p->temp_drop));
      }
!     /* Make sure the temporary drop is not a hard link */
      if (mybuf.st_nlink != 1) {
  	close(dfd);
  	return(pop_msg(p, POP_FAILURE,
diff -cr qpopper2.4.orig/popper.c qpopper2.4/popper.c
*** qpopper2.4.orig/popper.c	Fri Sep 12 03:16:46 1997
--- qpopper2.4/popper.c	Sat Dec 13 23:16:43 1997
***************
*** 14,19 ****
--- 14,20 ----
  #include <signal.h>
  #include <setjmp.h>
  #include <ctype.h>
+ #include <sys/stat.h>

  #ifdef POPSCO
  # include <sys/security.h>
***************
*** 66,71 ****
--- 67,73 ----
      state_table     *   s;
      char                message[MAXLINELEN];
      char            *   tgets();
+     struct stat             mybuf;                  /*  For stat() */

  #if defined(POPSCO) || defined(AUTH)
  # ifdef HAVE_SET_AUTH_PARAMETERS
***************
*** 78,88 ****
  #endif

      /* Set umask for better security */
! #ifdef BINMAIL_IS_SETGID
!     umask(0007);	/* Trust the mail delivery group */
! #else
!     umask(0077);	/* Trust no-one */
! #endif

      (void) signal(SIGHUP,VOIDSTAR catchSIGHUP);
      (void) signal(SIGPIPE,VOIDSTAR catchSIGHUP);
--- 80,90 ----
  #endif

      /* Set umask for better security */
! 
!     if (!stat(POP_MAILDIR, &mybuf) && !(mybuf.st_mode & S_IWOTH))
!       umask(0007);	/* Trust the mail delivery group */
!     else
!       umask(0077);	/* Trust no-one */

      (void) signal(SIGHUP,VOIDSTAR catchSIGHUP);
      (void) signal(SIGPIPE,VOIDSTAR catchSIGHUP);
diff -cr qpopper2.4.orig/popper.h qpopper2.4/popper.h
*** qpopper2.4.orig/popper.h	Fri Sep 12 23:22:30 1997
--- qpopper2.4/popper.h	Sat Dec 13 23:11:06 1997
***************
*** 14,20 ****
  /* 
   *  Header file for the POP programs
   */
- #define BINMAIL_IS_SETGID 1
  #ifdef POPSCO
  # include <sys/syslog.h>
  #else
--- 14,19 ----

Below, there are two messages from the Bugtraq mailing list which
prompted me to investigate the issue.

//Jyrki

Jyrki Kuoppala, jkp@kaapeli.fi, tel. + 358 9 694 7730, fax + 358 9 270 90 369
Katto-Meny OK, Helsinki, http://www.kaapeli.fi/ mobile + 358 40 5452608

Message-ID:  <Pine.BSI.3.95.970807205712.13715A-100000@ime.net>
Date:         Thu, 7 Aug 1997 21:04:47 -0400
Reply-To: dynamo@IME.NET
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: dynamo@IME.NET
Subject:      popper and qpopper let you read email from other pop clients
To: BUGTRAQ@NETSPACE.ORG

when i found this, i checked the archive to see if anyone else had found
this, and it didnt look like it.. if its a repost of ideas, sorry.

Some versions of popper and qpopper from qualcomm allow you to read
other peoples email.  There are quite a few situations in which you
need your mail spool directory chmodded 1777.  If you have local users
on a machine with the mail spool directory, they can create symbolic
links from the temporary pop drop box to a file that they can read.

See if youre vulnerable:

        1) touch /tmp/lumpy; chmod 777 /tmp/lumpy
        2) ln -s /tmp/lumpy /var/mail/.luser.pop
        3) wait for them to check their email.
        4) while they are reading it from the pop
           server, look at the file in the tmp dir.

Apparently it is fixed in the newest version.

dynamo

Message-ID:  <Pine.BSF.3.95q.970808143615.25450A-100000@web2.calweb.com>
Date:         Fri, 8 Aug 1997 14:44:08 -0700
Reply-To: "Ian R. Justman" <ianj@CALWEB.COM>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Ian R. Justman" <ianj@CALWEB.COM>
Subject:      Re: popper and qpopper let you read email from other pop clients
X-To:         dynamo@IME.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.BSI.3.95.970807205712.13715A-100000@ime.net>

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 7 Aug 1997 dynamo@IME.NET wrote:

> Some versions of popper and qpopper from qualcomm allow you to read
> other peoples email.  There are quite a few situations in which you
> need your mail spool directory chmodded 1777.  If you have local users
> on a machine with the mail spool directory, they can create symbolic
> links from the temporary pop drop box to a file that they can read.
>
> See if youre vulnerable:

<Details of exploit deleted>

> Apparently it is fixed in the newest version.

Here's what I did when I tried this on my personal system at home which
runs QPOPPER 2.2:

/tmp$ telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK QPOP (version 2.2) at (zang!) starting.  <2104.871076037@(plink!)>
user (poof!)
+OK Password required for (zap!).
pass (boink!)
- -ERR Your temporary drop file /usr/spool/mail/.(blink!).pop is not type 'regular file'

Even version 2.2 of qpopper is smart enough to know the difference between
a regular file and a symbolic link.

- --Ian.

- ---
Ian R. Justman (ianj@calweb.com)

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Prev by Date: Linux inetd.. (fwd)
Next by Date: SPI money out
Previous by thread: Re: Security problem with Qualcomm qpopper 2.2, 2.4, 2.4beta1
Next by thread: debian-private list archive
Index(es):
- Date
- Thread