Bugtraq mailing list archives
Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
From: Will DeHaan <eclipse () sun com>
Date: Mon, 09 Jul 2001 12:03:06 -0700
Andrea Barisani wrote:
On some cobalt raq3 servers (with the poprelayd add-on packet installed ) and in general on any system running the poprelayd script with sendmail is possible to "inject" this string in the syslog using sendmail logging. So anyone can insert a fake string with his own IP wich will be parsed by poprelayd and that will permit the use of sendmail as a relay.
Hello, Attached you'll find an experimental patch (apply to /usr/local/sbin/poprelayd) to immediately correct the email relay exploit. This patch is integrated into the current version 2.0 poprelayd RPM at: ftp://ftp.cobaltnet.com/pub/experimental/RPMS/poprelayd-2.0-4.noarch.rpm md5sum 52af3c84c93914908ced089526521330 ftp://ftp.cobaltnet.com/pub/experimental/SRPMS/poprelayd-2.0-4.src.rpm md5sum 4a526733a2da5cfe996f53032b136e1e A supported fix to this email relay exploit will be integrated into forthcoming security update packages for Qube and RaQ products. Thank you for reporting this issue to Bugtraq. We also appreciate direct reporting of any Sun Cobalt security issues by sending email to security () cobalt com. Cheers, -- Will -- Will DeHaan Software Engineer will.dehaan () sun com Sun Cobalt Server Appliances. Sun Microsystems, Inc.
--- poprelayd-2.0-3 Mon Jul 9 10:29:40 2001 +++ poprelayd Mon Jul 9 10:27:27 2001 @@ -175,16 +175,19 @@ my $s = $_[0]; my @paddrs; # Packed IP addresses. my @addrs; # ASCII addresses. - my $junk; # POP login by user "admin" at (10.9.28.29) 10.9.28.29 - if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)/) { - return $1; + # ensure line ends at IP address. Filter on rejection codes + if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)\s*$/) { + my $authuser = $1; + return $authuser unless ($s =~ /reject=\d/i); } # imapd[11676]: Authenticated user=admin host=pyro.cobalt.com [10.9.28.29] - if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]/) { - return $1; + # ensure line ends at IP address. Filter on rejected syntax. + if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]\s*$/) { + my $authuser = $1; + return $authuser unless ($s =~ /unknown command/i); } return ();
Current thread:
- poprelayd and sendmail relay authentication problem (Cobalt Raq3) Andrea Barisani (Jul 04)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Will DeHaan (Jul 09)
- <Possible follow-ups>
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Ram'on Reyes Carri'on (Jul 06)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Christopher X. Candreva (Jul 07)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Chris Adams (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Todd R. Eigenschink (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) bdoctor (Jul 09)
- Re[2]: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Christoph Kuhles (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Jason Clifford (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Walter Reed (Jul 09)
- Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3) Christopher X. Candreva (Jul 07)
- Re: poprelayd and sendmail relay authentication problem Ed Ravin (Jul 07)