[21421] in bugtraq
Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
daemon@ATHENA.MIT.EDU (Will DeHaan)
Mon Jul 9 20:36:04 2001
Message-ID: <3B49FFEA.2CBCB810@sun.com>
Date: Mon, 09 Jul 2001 12:03:06 -0700
From: Will DeHaan <eclipse@sun.com>
MIME-Version: 1.0
To: Andrea Barisani <lcars@infis.univ.trieste.it>
Cc: bugtraq@securityfocus.com
Content-Type: multipart/mixed;
boundary="------------141EB92875801205522B75FA"
--------------141EB92875801205522B75FA
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Andrea Barisani wrote:
>
> On some cobalt raq3 servers (with the poprelayd add-on packet installed )
> and in general on any system running the poprelayd script with sendmail is
> possible to "inject" this string in the syslog using sendmail logging. So
> anyone can insert a fake string with his own IP wich will be parsed by
> poprelayd and that will permit the use of sendmail as a relay.
Hello,
Attached you'll find an experimental patch (apply to
/usr/local/sbin/poprelayd) to immediately correct the email relay
exploit. This patch is integrated into the current version 2.0
poprelayd RPM at:
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/poprelayd-2.0-4.noarch.rpm
md5sum 52af3c84c93914908ced089526521330
ftp://ftp.cobaltnet.com/pub/experimental/SRPMS/poprelayd-2.0-4.src.rpm
md5sum 4a526733a2da5cfe996f53032b136e1e
A supported fix to this email relay exploit will be integrated into
forthcoming security update packages for Qube and RaQ products.
Thank you for reporting this issue to Bugtraq. We also appreciate
direct reporting of any Sun Cobalt security issues by sending email to
security@cobalt.com.
Cheers,
-- Will
--
Will DeHaan
Software Engineer will.dehaan@sun.com
Sun Cobalt Server Appliances. Sun Microsystems, Inc.
--------------141EB92875801205522B75FA
Content-Type: text/plain; charset=us-ascii;
name="poprelay.regexpoit.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="poprelay.regexpoit.patch"
--- poprelayd-2.0-3 Mon Jul 9 10:29:40 2001
+++ poprelayd Mon Jul 9 10:27:27 2001
@@ -175,16 +175,19 @@
my $s = $_[0];
my @paddrs; # Packed IP addresses.
my @addrs; # ASCII addresses.
- my $junk;
# POP login by user "admin" at (10.9.28.29) 10.9.28.29
- if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)/) {
- return $1;
+ # ensure line ends at IP address. Filter on rejection codes
+ if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)\s*$/) {
+ my $authuser = $1;
+ return $authuser unless ($s =~ /reject=\d/i);
}
# imapd[11676]: Authenticated user=admin host=pyro.cobalt.com [10.9.28.29]
- if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]/) {
- return $1;
+ # ensure line ends at IP address. Filter on rejected syntax.
+ if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]\s*$/) {
+ my $authuser = $1;
+ return $authuser unless ($s =~ /unknown command/i);
}
return ();
--------------141EB92875801205522B75FA--
