Andrea Barisani wrote: > > On some cobalt raq3 servers (with the poprelayd add-on packet installed ) > and in general on any system running the poprelayd script with sendmail is > possible to "inject" this string in the syslog using sendmail logging. So > anyone can insert a fake string with his own IP wich will be parsed by > poprelayd and that will permit the use of sendmail as a relay. Hello, Attached you'll find an experimental patch (apply to /usr/local/sbin/poprelayd) to immediately correct the email relay exploit. This patch is integrated into the current version 2.0 poprelayd RPM at: ftp://ftp.cobaltnet.com/pub/experimental/RPMS/poprelayd-2.0-4.noarch.rpm md5sum 52af3c84c93914908ced089526521330 ftp://ftp.cobaltnet.com/pub/experimental/SRPMS/poprelayd-2.0-4.src.rpm md5sum 4a526733a2da5cfe996f53032b136e1e A supported fix to this email relay exploit will be integrated into forthcoming security update packages for Qube and RaQ products. Thank you for reporting this issue to Bugtraq. We also appreciate direct reporting of any Sun Cobalt security issues by sending email to securityat_private Cheers, -- Will -- Will DeHaan Software Engineer will.dehaanat_private Sun Cobalt Server Appliances. Sun Microsystems, Inc. --- poprelayd-2.0-3 Mon Jul 9 10:29:40 2001 +++ poprelayd Mon Jul 9 10:27:27 2001 @@ -175,16 +175,19 @@ my $s = $_[0]; my @paddrs; # Packed IP addresses. my @addrs; # ASCII addresses. - my $junk; # POP login by user "admin" at (10.9.28.29) 10.9.28.29 - if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)/) { - return $1; + # ensure line ends at IP address. Filter on rejection codes + if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)\s*$/) { + my $authuser = $1; + return $authuser unless ($s =~ /reject=\d/i); } # imapd[11676]: Authenticated user=admin host=pyro.cobalt.com [10.9.28.29] - if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]/) { - return $1; + # ensure line ends at IP address. Filter on rejected syntax. + if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]\s*$/) { + my $authuser = $1; + return $authuser unless ($s =~ /unknown command/i); } return ();
This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 17:37:01 PDT