Title: QPopper PopAuth Trace File Shell Command Execution Vulnerability
Severity: MODERATE
Description:
Qpopper is a freely available, open source Post Office Protocol server. It is maintained and distributed by Qualcomm.
A problem with one of the utilities included with the daemon makes it possible for a local user to gain elevated privileges. The problem is in the handling of trace files.
Trace files are typically used for debugging purposes. They are loaded via the -trace flag when popauth is executed.
When popauth is executed with the trace option, it does not correctly handle user-supplied input. A user can supply data to the popauth program through the trace flag which will cause the program to execute shell commands, and follow symbolic links. This problem could be exploited to gain privilege elevation equal to that of the setuid bit of popauth, typically set as the 'pop' user.
This problem makes it possible for a local user to gain access to the system as the 'pop' user, and potentially read or write data accessible by the 'pop' user, such as APOP passwords.
Affected Products:
- Caldera OpenServer 5.0.5
- Caldera OpenServer 5.0.6
- Qualcomm qpopper 4.0.1
- Qualcomm qpopper 4.0.2
- Qualcomm qpopper 4.0.3
- RedHat Linux 7.0.0
- RedHat Linux 7.1.0
- Sun Cobalt RaQ 4
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
