Source: cve@mitre.org
popauth utility in Qualcomm Qpopper 4.0 and earlier allows local users to overwrite arbitrary files and execute commands as the pop user via a symlink attack on the -trace file option.
Local privilege escalation is possible in Qualcomm Qpopper versions 4.0 and earlier due to a vulnerability in the popauth utility. This allows an attacker to overwrite arbitrary files and potentially gain root access by exploiting a symlink vulnerability related to the -trace option.
Step 1: Target Identification: Identify a system running a vulnerable version of Qualcomm Qpopper (4.0 or earlier).
Step 2: Symlink Creation: Create a symbolic link, typically named tracefile or similar, that points to a critical system file, such as /etc/passwd or a shadow file. The attacker needs write permissions to the directory where the trace file will be created.
Step 3: Triggering popauth: Invoke the popauth utility with the -trace option, specifying the name of the symlink as the trace file. This can be done by sending a crafted POP3 request to the server.
Step 4: Race Condition Exploitation: The popauth utility attempts to open the file specified by the -trace option. Due to the race condition, the symlink is resolved before the file is opened. The utility, running with the privileges of the pop user, then overwrites the file pointed to by the symlink.
Step 5: Privilege Escalation: If the symlink points to a file like /etc/passwd, the attacker can insert a new user with elevated privileges (e.g., root) or modify an existing user's password. This allows the attacker to gain control of the system.
The vulnerability stems from a race condition within the popauth utility. When the -trace option is used, the utility attempts to open a file for writing. An attacker can exploit this by creating a symbolic link (symlink) pointing to a sensitive file (e.g., /etc/passwd) before popauth attempts to open the trace file. The utility, running with the privileges of the pop user, will then overwrite the target file, allowing the attacker to modify system files and potentially gain elevated privileges. The core flaw is the lack of proper input validation and the insecure handling of file paths, leading to the symlink attack.
This vulnerability is unlikely to be directly associated with specific APT groups due to its age. However, any attacker seeking to gain local privilege escalation could utilize this exploit. CISA KEV status is unlikely due to the age of the vulnerability and the limited impact today.
Monitor system logs for unusual activity related to the popauth utility, especially the use of the -trace option.
Analyze file system changes, particularly modifications to sensitive files like /etc/passwd, /etc/shadow, and system configuration files.
Network traffic analysis: Examine POP3 traffic for unusual patterns or requests that might trigger the vulnerability.
File integrity monitoring (FIM) to detect unauthorized changes to critical system files.
Upgrade to a patched version of Qualcomm Qpopper or a different POP3 server software. This is the most effective solution.
If upgrading is not possible, disable the -trace option in the popauth utility. This mitigates the vulnerability.
Implement file system permissions that restrict write access to sensitive files like /etc/passwd and /etc/shadow to only authorized users.
Regularly audit system logs and file integrity to detect any suspicious activity.
Use a file integrity monitoring tool to detect unauthorized changes to critical files.