Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)

From: Will DeHaan (eclipseat_private)
Date: Mon Jul 09 2001 - 12:03:06 PDT

Next message: Jochen Bauer: "Re: Check Point FireWall-1 RDP Bypass Vulnerability"

Previous message: sebi hegi: "dip 3.3.7p-overflow"
In reply to: Andrea Barisani: "poprelayd and sendmail relay authentication problem (Cobalt Raq3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andrea Barisani wrote:
> 
> On some cobalt raq3 servers (with the poprelayd add-on packet installed )
> and in general on any system running the poprelayd script with sendmail is
> possible to "inject" this string in the syslog using sendmail logging. So
> anyone can insert a fake string with his own IP wich will be parsed by
> poprelayd and that will permit the use of sendmail as a relay.

Hello,

Attached you'll find an experimental patch (apply to
/usr/local/sbin/poprelayd) to immediately correct the email relay
exploit.  This patch is integrated into the current version 2.0
poprelayd RPM at:

ftp://ftp.cobaltnet.com/pub/experimental/RPMS/poprelayd-2.0-4.noarch.rpm
md5sum 52af3c84c93914908ced089526521330

ftp://ftp.cobaltnet.com/pub/experimental/SRPMS/poprelayd-2.0-4.src.rpm
md5sum 4a526733a2da5cfe996f53032b136e1e

A supported fix to this email relay exploit will be integrated into
forthcoming security update packages for Qube and RaQ products.  

Thank you for reporting this issue to Bugtraq.  We also appreciate
direct reporting of any Sun Cobalt security issues by sending email to
securityat_private

Cheers,


	-- Will

-- 
Will DeHaan
Software Engineer              will.dehaanat_private
Sun Cobalt Server Appliances.  Sun Microsystems, Inc.

--- poprelayd-2.0-3	Mon Jul  9 10:29:40 2001
+++ poprelayd	Mon Jul  9 10:27:27 2001
@@ -175,16 +175,19 @@
     my $s = $_[0];
     my @paddrs;		# Packed IP addresses.
     my @addrs;		# ASCII addresses.
-    my $junk;
 
     # POP login by user "admin" at (10.9.28.29) 10.9.28.29
-    if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)/)  {
-        return $1;
+    # ensure line ends at IP address.  Filter on rejection codes
+    if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)\s*$/)  {
+        my $authuser = $1;
+        return $authuser unless ($s =~ /reject=\d/i);
     }
 
     # imapd[11676]: Authenticated user=admin host=pyro.cobalt.com [10.9.28.29]
-    if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]/) {
-        return $1;
+    # ensure line ends at IP address.  Filter on rejected syntax.
+    if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]\s*$/) {
+        my $authuser = $1;
+        return $authuser unless ($s =~ /unknown command/i);
     }
 
     return ();

Next message: Jochen Bauer: "Re: Check Point FireWall-1 RDP Bypass Vulnerability"
Previous message: sebi hegi: "dip 3.3.7p-overflow"
In reply to: Andrea Barisani: "poprelayd and sendmail relay authentication problem (Cobalt Raq3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 17:37:01 PDT