Re: [cobalt-security] poprelay: serious security bug

["Jonathan Michaelson" <michaelsonjd@xxxxxxxxxxx>]

I've been doing some testing and have developed a workaround (it's a hack
but works against the posted exploit) for those worried and not willing to
wait for Cobalt to release a timely patch (see below):

> For those running the poprelayd POP-before-relay daemon (including the
> "official" Cobalt release), you should note that a serious bug + exploit
has
> been posted to BugTraq with specific reference to the Cobalt RaQ3 (but
will
> certainly affect _all_ the RaQ servers running poprelayd):
>
>
http://www.securityfocus.com/templates/archive.pike?mid=194906&threads=0&lis
> t=1&end=2001-07-07&start=2001-07-01&fromthread=0&
>
> The bug + exploit allows anyone to relay mail through the server. We can
> only hope that Cobalt comes out with a remedy for this problem *very*
> quickly.

To implement the workaround you need to do the following (take care with
line wraps in email clients):

Note: This has been tested to work on 2 Cobalt RaQ4's with all current
official packages installed. You implement it at your own risk.

1. TELNET/SSH into your server and su to root
2. Make a safe copy of the poprelayd daemon file:
cd /usr/local/sbin
cp poprelayd poprelayd.old
3. Edit poprelayd:
pico -w poprelayd
4. Change the following line:

from (all one line):

    if ($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)/)  {

to (all one line):

    if (($s =~ /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9\.]+)/) and
($s !~ /reject\=553/) and ($s !~ /from\=/))  {

5. Check file for perl syntax:
perl -c poprelayd
(should get "poprelayd syntax OK")
6. Restart the poprelayd daemon:
/etc/rc.d/init.d/poprelayd restart
7. TEST to ensure it works as normal. If it doesn't restore the safe copy
and restart the daemon and scream!

Regards,
Jonathan Michaelson
Commercial Perl CGI Scripting