Bugtraq mailing list archives
ANNOUNCE: qmail Security Challenge
From: dsill () HIGHLAND NET (Dave Sill)
Date: Wed, 18 Jun 1997 07:58:18 EST
Background In February, 1996, Daniel J. Bernstein released the first public beta test version of qmail, a Message Transfer Agent (MTA). One of his primary motivations for developing qmail was the notorious insecurity of the "standard" UNIX MTA, sendmail. Unlike sendmail, qmail was designed to be secure in today's hostile Internet environment. It does as little as possible in setuid programs and as little as possible as the superuser--and does nothing setuid root. It does separate functions in separate, mutually untrusting programs--breaking one function won't break the whole system. It avoids error-prone parsing as much as it can. It keeps the distinction between addresses and programs/files clear so it won't be tricked into accessing the system in unintended ways. It is also small and simple, yet surprisingly powerful, and was coded with almost fanatical care to avoid security pitfalls. The Challenge Now that qmail version 1.01 is available, a group of qmail supporters from the djb-qmail mailing list has pooled its resources and issued a challenge to the UNIX security community intended to subject qmail to the same kind of rigorous inspection that sendmail has been given. They're offering a cash prize (currently $375, although $500 has been pledged) to the first person or group to find a security bug in qmail. Dan Bernstein has also offered his own $500 reward, but he requires that the bug be present on a system with publicly available source code so he can be sure the problem really lies with qmail, not the operating system. Contact Dan for more information about his offer. Rules 1.The qmail Security Challenge, hereinafter to referred to as "The Challenge", begins April 23, 1997, and ends when the prize is awarded or at midnight, Eastern daylight savings time, April 23, 1998, whichever comes first. 2.The Challenge is being run by the Challenge Committee, hereinafter referred to as "The Committee", consisting of Dave Sill (chairman) and all bona fide donors. The Committee is independent, and is not associated with any other organization. 3.A maximum of one prize will be awarded. 4.The prize will be a cashier's check in US dollars equal to the total amount of the donations of the individual Committee members plus any interest earned on the donations during The Challenge. The prize is being held in escrow by the chairman and currently totals three hundred seventy five US dollars (US$375). 5.Unclaimed prize money will be donated to the Free Software Foundation after the contest ends. 6.To qualify for the prize, the bug must be in the current public release of qmail at the time a claim is filed. For example, if a bug is discovered in 1.01 after a subsequent release, but the bug is fixed in the new release, it's disqualified. 7.Bugs that qualify for the prize, subject to the other conditions outlined in these rules, must be one of the following: Remote exploits that give login access. Local or remote exploits that grant root privileges. Local or remote exploits that grant read or write access to a file the user can't normally access because of UNIX access controls (owner/group/mode). Local or remote exploits that cause any of the long-lived qmail processes (currently: qmail-send, qmail-rspawn, qmail-lspawn, or qmail-clean) to terminate. 8.The following types of bugs are specifically disqualified: Exploits that involve corrupting DNS data, breaking TCP/IP, breaking NFS, or denying service (except for the case above). Exploits based on bugs in the host operating system or other non-qmail code (for example, it's not qmail's fault if vendor X has a bug that allows users to exploit any setuid program). Exploits based on insecure shell commands in .qmail files (for example, a .qmail file that grants login access either intentionally or inadvertently). Exploits based on insecure customized configuration beyond the minimal install (i.e., normal modifications to control files to set up virtual domains, etc, are OK, but if the admin writes a program to rewrite headers, it's not covered). Exploits that are not reproducible by The Committee. 9.Claims will be tested on a system with a minimal qmail configuration based on the INSTALL file included with the qmail distribution, plus any qualifying modifications to /var/qmail/control files specified by the claimant. 10.To submit a claim, details must be sent to dsill () highland net before the contest ends. Claims will be evaluated in the order received. Entries will be acknowledged by return e-mail. The Committee will not be responsible for unacknowledged entries. The Committee will evaluate claims within sixty (60) days of confirmed receipt of submission. 11.The Committee disclaims all liability for anything related to the contest. The Committee will not award the prize to anyone who causes any disruption in service to any system that is not the responsibility of the claimant. We recommend that all testing be done on systems dedicated to that purpose. 12.These rules can be modified at any time by The Committee. Rules changes will be announced on the djb-qmail () koobera math uic edu mailing list. Claims will be evaluated against the most recently announced rules at the time the claim is received by The Committee. This document is also available from <URL:http://web.infoave.net/~dsill/qmail.html>.
Current thread:
- Wrapper v2 released Joe Zbiciak (Jun 15)
- Netscape Admin Servers /tmp/deamonstat Yucel (Jun 17)
- Netscape Admin Servers *not vulnerable* Marcin Cieslak (Jun 17)
- Security hole in MajorCool 1.0.3 Benjamin J Stassart (Jun 18)
- ANNOUNCE: qmail Security Challenge Dave Sill (Jun 18)
- Seyon vulnerability - IRIX Shawn Hillis (Jun 17)
- Netscape Admin Servers /tmp/deamonstat Yucel (Jun 17)