Bugtraq mailing list archives
Re: poprelayd and sendmail relay authentication problem
From: Ed Ravin <eravin () panix com>
Date: Fri, 6 Jul 2001 21:33:36 -0400 (EDT)
Ram'on Reyes Carri'on writes:
A quick workaround that I have just applied is to make sure that the string does not contain /sendmail/ so it cannot be injected into syslog via sendmail (may be injected some other way!).
Better to anchor the pattern match to the beginning of the line, so that there is no way any program can trick poprelayd. For example: if ($s =~ /^\w+\s+\d+\s+\d+:\d+:\d+\s+[^: ]+ (imapd|pop3d)\[(\d+)\]: login: \S*\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]/) { ($daemon, $pid, $clientip)= ($1, $2, $3); add_to_db($clientip); } The above example is for US-style syslog timestamps, things might be different elsewhere. Also, you need to make sure that your syslogd is not accepting traffic from anywhere except a local Unix-domain socket, since otherwise the attacker could forge a syslog message directly.
The syslog string searched by the script is in this form for the qpop server /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/) On some cobalt raq3 servers (with the poprelayd add-on packet installed ) and in general on any system running the poprelayd script with sendmail is possible to "inject" this string in the syslog using sendmail logging. So anyone can insert a fake string with his own IP wich will be parsed by poprelayd and that will permit the use of sendmail as a relay.
Current thread:
- poprelayd and sendmail relay authentication problem (Cobalt Raq3) Andrea Barisani (Jul 04)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Will DeHaan (Jul 09)
- <Possible follow-ups>
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Ram'on Reyes Carri'on (Jul 06)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Christopher X. Candreva (Jul 07)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Chris Adams (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Todd R. Eigenschink (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) bdoctor (Jul 09)
- Re[2]: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Christoph Kuhles (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Jason Clifford (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Walter Reed (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Christopher X. Candreva (Jul 07)
- Re: poprelayd and sendmail relay authentication problem Ed Ravin (Jul 07)