CVE-2001-1487

Step 1: Symlink Creation: The attacker creates a symbolic link (e.g., /tmp/mylink) that points to a sensitive file, such as /etc/passwd or a file within the pop user's home directory that can be used to gain further access.

Step 2: Triggering popauth: The attacker executes the popauth utility with the -trace option, specifying the attacker-controlled symbolic link as the trace file (e.g., popauth -trace /tmp/mylink).

Step 3: Race Condition: A race condition exists between the time the popauth utility opens the file specified by the -trace option and the time it writes to it. The attacker exploits this to replace the target file with a symbolic link.

Step 4: File Overwrite: The popauth utility, running with pop user privileges, attempts to write to the file specified by the -trace option. Because the file is a symbolic link, the write operation actually overwrites the target file pointed to by the link (e.g., /etc/passwd).

Step 5: Privilege Escalation: By overwriting a critical system file like /etc/passwd, the attacker can add a new user with elevated privileges or modify an existing user's password, achieving local privilege escalation.

The vulnerability stems from a race condition within the popauth utility when handling the -trace option. The program doesn't properly validate the target of a symbolic link before writing to it. An attacker can create a symbolic link pointing to a critical system file (e.g., /etc/passwd) and then trigger the popauth utility. The utility, running with the privileges of the pop user, will then overwrite the target file, allowing the attacker to modify user accounts or gain unauthorized access. The core issue is the lack of safe handling of file paths provided by the user and the absence of checks to prevent symlink attacks. The use of the -trace option, intended for debugging, creates a writable file that is vulnerable to this type of attack.