OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1997: Re: popper and qpopper let you read email from other pop clients

Re: popper and qpopper let you read email from other pop clients

Ian R. Justman (ianjCALWEB.COM)
Fri, 8 Aug 1997 14:44:08 -0700 

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 7 Aug 1997 dynamoIME.NET wrote:

> Some versions of popper and qpopper from qualcomm allow you to read
> other peoples email.  There are quite a few situations in which you
> need your mail spool directory chmodded 1777.  If you have local users
> on a machine with the mail spool directory, they can create symbolic
> links from the temporary pop drop box to a file that they can read.
>
> See if youre vulnerable:

<Details of exploit deleted>

> Apparently it is fixed in the newest version.

Here's what I did when I tried this on my personal system at home which
runs QPOPPER 2.2:

/tmp$ telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK QPOP (version 2.2) at (zang!) starting.  <2104.871076037(plink!)>
user (poof!)
+OK Password required for (zap!).
pass (boink!)
- -ERR Your temporary drop file /usr/spool/mail/.(blink!).pop is not type 'regular file'

Even version 2.2 of qpopper is smart enough to know the difference between
a regular file and a symbolic link.

- --Ian.

- ---
Ian R. Justman (ianjcalweb.com)

Finger ianjcalweb.com for my public PGP key.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQEVAwUBM+uTLkyc+bfQRhUBAQF3Cwf/WxHBunYU0OCyyMVSClUVq9lV8bDkijqk
EfvcQF1wbEAcm+f4d7FnF55Q6QZlyXYejRYwy0ocro+erE9DHWfqj7lQJ9OTReKq
1I+vPXbx6y15bfAo7pwwW/G8XZFXiLs3cRXw9K0znMoFvRbJezrgCMrC/3O41glP
SvBU3OhDNtuV1RMcRR8gsBnkWtqKQG53WVvNhf/wSvVxhChL4MQADlFTkosS43il
jmJ7rPYxV/jxDV/jMS40iFM7yjtIQv7RrwmQDpVI5PHjxHHaZiJkDUqZUTWwidBG
3KyW+DYPNRDkqnmPwpJKBytOh3UhMpXc0a/euBPO7VhzVB53cSI01A==
=p1SE
-----END PGP SIGNATURE-----