OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Will DeHaan (eclipsesun.com)
Date: Mon Jul 09 2001 - 14:03:06 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Andrea Barisani wrote:
    >
    > On some cobalt raq3 servers (with the poprelayd add-on packet installed )
    > and in general on any system running the poprelayd script with sendmail is
    > possible to "inject" this string in the syslog using sendmail logging. So
    > anyone can insert a fake string with his own IP wich will be parsed by
    > poprelayd and that will permit the use of sendmail as a relay.

    Hello,

    Attached you'll find an experimental patch (apply to
    /usr/local/sbin/poprelayd) to immediately correct the email relay
    exploit. This patch is integrated into the current version 2.0
    poprelayd RPM at:

    ftp://ftp.cobaltnet.com/pub/experimental/RPMS/poprelayd-2.0-4.noarch.rpm
    md5sum 52af3c84c93914908ced089526521330

    ftp://ftp.cobaltnet.com/pub/experimental/SRPMS/poprelayd-2.0-4.src.rpm
    md5sum 4a526733a2da5cfe996f53032b136e1e

    A supported fix to this email relay exploit will be integrated into
    forthcoming security update packages for Qube and RaQ products.

    Thank you for reporting this issue to Bugtraq. We also appreciate
    direct reporting of any Sun Cobalt security issues by sending email to
    securitycobalt.com.

    Cheers,

            -- Will

    -- 
    Will DeHaan
    Software Engineer              will.dehaansun.com
    Sun Cobalt Server Appliances.  Sun Microsystems, Inc.
    

    --- poprelayd-2.0-3 Mon Jul 9 10:29:40 2001 +++ poprelayd Mon Jul 9 10:27:27 2001 -175,16 +175,19 my $s = $_[0]; my paddrs; # Packed IP addresses. my addrs; # ASCII addresses. - my $junk; # POP login by user "admin" at (10.9.28.29) 10.9.28.29 - if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)/) { - return $1; + # ensure line ends at IP address. Filter on rejection codes + if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)\s*$/) { + my $authuser = $1; + return $authuser unless ($s =~ /reject=\d/i); } # imapd[11676]: Authenticated user=admin host=pyro.cobalt.com [10.9.28.29] - if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]/) { - return $1; + # ensure line ends at IP address. Filter on rejected syntax. + if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]\s*$/) { + my $authuser = $1; + return $authuser unless ($s =~ /unknown command/i); } return ();