Ram'on Reyes Carri'on writes:
> A quick workaround that I have just applied is to make sure that the
> string does not contain /sendmail/ so it cannot be injected into syslog
> via sendmail (may be injected some other way!).
Better to anchor the pattern match to the beginning of the line, so
that there is no way any program can trick poprelayd. For example:
if ($s =~ /^\w+\s+\d+\s+\d+:\d+:\d+\s+[^: ]+ (imapd|pop3d)\[(\d+)\]: login: \S*\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]/) {
($daemon, $pid, $clientip)= ($1, $2, $3);
add_to_db($clientip);
}
The above example is for US-style syslog timestamps, things might be
different elsewhere. Also, you need to make sure that your syslogd
is not accepting traffic from anywhere except a local Unix-domain
socket, since otherwise the attacker could forge a syslog message
directly.
> > The syslog string searched by the script is in this form for the qpop
> > server
> >
> > /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)
> >
> > On some cobalt raq3 servers (with the poprelayd add-on packet installed )
> > and in general on any system running the poprelayd script with sendmail is
> > possible to "inject" this string in the syslog using sendmail logging. So
> > anyone can insert a fake string with his own IP wich will be parsed by
> > poprelayd and that will permit the use of sendmail as a relay.
This archive was generated by hypermail 2b30 : Sat Jul 07 2001 - 13:43:24 PDT