Date: Thu, 25 May 2000 08:08:09 -0500 (CDT) ---------- Forwarded message ---------- Date: Tue, 23 May 2000 22:37:30 -0700 From: Qpopper Support <firstname.lastname@example.org> Sender: email@example.com To: Qpopper Announcements <firstname.lastname@example.org>, Qpopper Discussion List <email@example.com> Cc: firstname.lastname@example.org Subject: Security Vulnerability in Qpopper 2.53 (Upgrade to 3.0.2) Qpopper development has learned of a security vulnerability in Qpopper 2.53 (and older). All users of Qpopper are urged to upgrade to 3.0.2 or later. The details have been reported to CERT and BugTraq. The exploit involves sending a specially-constructed message to a user, then logging in as that user and issuing the EUIDL command. A successful attack can yield a shell running with group 'mail'. It is important to note that the attack: 1. Requires the ability to log in as a user. 2. Can at most give a shell with uid of the user and gid of mail, potentially allowing access to other user's mail. 3. Will be logged. 4. Requires Qpopper 2.53 or older. The current released version is 3.0.2. In addition, not all sites use group 'mail' or have Qpopper set to run with gid=mail, or have spools owned by group 'mail' and have rw group access. However, this is a very common configuration. Qpopper 3.0 has additional protections against buffer overflows; this exploit proves the usefulness of this approach.