![[LWN Logo]](/images/lwn.banner.gif)
Date: Thu, 25 May 2000 08:08:09 -0500 (CDT)
---------- Forwarded message ----------
Date: Tue, 23 May 2000 22:37:30 -0700
From: Qpopper Support <qpopper@qualcomm.com>
Sender: owner-qpopper-announce@qualcomm.com
To: Qpopper Announcements <qpopper-announce@qualcomm.com>,
Qpopper Discussion List <qpopper@lists.pensive.org>
Cc: qpopper@qualcomm.com
Subject: Security Vulnerability in Qpopper 2.53 (Upgrade to 3.0.2)
Qpopper development has learned of a security vulnerability in
Qpopper 2.53 (and older). All users of Qpopper are urged to upgrade
to 3.0.2 or later.
The details have been reported to CERT and BugTraq. The exploit
involves sending a specially-constructed message to a user, then
logging in as that user and issuing the EUIDL command. A successful
attack can yield a shell running with group 'mail'.
It is important to note that the attack:
1. Requires the ability to log in as a user.
2. Can at most give a shell with uid of the user and gid of mail,
potentially allowing access to other user's mail.
3. Will be logged.
4. Requires Qpopper 2.53 or older. The current released version is 3.0.2.
In addition, not all sites use group 'mail' or have Qpopper set to
run with gid=mail, or have spools owned by group 'mail' and have rw
group access. However, this is a very common configuration.
Qpopper 3.0 has additional protections against buffer overflows; this
exploit proves the usefulness of this approach.