Bugtraq mailing list archives
Re: Anonymous Qmail Denial of Service
From: djb () CR YP TO (D. J. Bernstein)
Date: Sat, 9 Jan 1999 22:12:31 -0000
Perry E. Metzger writes:
You attacked Postfix for being subject to a DoS attack.
I pointed out that the IBM Secure Mailer allowed local users to * anonymously destroy messages accepted by the MTA from other users; * obtain traffic information that some sites consider private; * on some UNIX variants, charge mail to the wrong user; and * under specialized circumstances, steal unreadable files. Which of these are you calling a ``denial-of-service attack,'' Perry? I did mention, as part of the first two attacks, how to anonymously slow down the IBM Secure Mailer drop-directory daemon by making many links in the queue. (Other people pointed out bugs that let a user anonymously force the daemon to exit.) But I didn't criticize the IBM Secure Mailer for allowing this denial-of-service attack; I brought it up merely to make clear that an attacker could easily win races with the daemon. (Amusing historical note: On 12 June 1997, the IBM Secure Mailer author publicly suggested that his MTA was immune to denial-of-service attacks. Namely, after I said ``There are literally dozens of denial-of-service attacks on all Internet mail systems, including Wietse's VaporMail,'' he said ``You did not get a copy so you can't possibly know its resource limiting features.'') Anyway, Perry, you've also claimed in public that these security holes are just my imagination; that they ``aren't real security issues''; and that they ``were understood during the alpha test.'' Would you like to explain these statements to the bugtraq readership? ObSecurity: In the two weeks after my first public statement of these security holes, the IBM Secure Mailer was changed in three ways: * The world-writable drop directory was made unreadable. The IBM Secure Mailer author called this a ``solution'' and claimed that inode numbers offer 15 bits of randomness. In fact, on almost all UNIX systems today, inode numbers are trivially predictable. This is security through obscurity. * Multiply linked files were delivered rather than removed. The only effect of this change is that ``anonymously destroy messages'' is now ``anonymously duplicate messages.'' Much less frightening, of course; but the drop directory still isn't secure. * The world-writable drop directory was _optionally_ replaced by a setgid program writing to a group-writable directory. This is a real solution, if the setgid program is secure. But---perhaps because of religious views about multiple-process inefficiency and setuid/setgid insecurity---this isn't the default! The bottom line is that the IBM Secure Mailer remains insecure. IBM still hasn't put any security alerts on the IBM Secure Mailer download pages; they merely mention that the latest update fixes ``one directory permission mistake.'' Do they not understand that they're practically begging the security community to publish exploit scripts? ``Postfix is still in beta,'' some people respond. So what? IBM engaged in a massive press campaign to advertise this software. They said that sendmail had ``nasty bugs'' that did ``dumb things'' such as ``delete files.'' They encouraged people to download and install the IBM Secure Mailer instead. They didn't say ``By the way, it's still in beta test, and so we aren't taking security seriously.'' ---Dan
Current thread:
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service), (continued)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Pete Kruckenberg (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Thamer Al-Herbish (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Len Budney (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Thamer Al-Herbish (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Kragen Sitaker (Jan 09)
- really silly ff.core exploit for Solaris John McDonald (Jan 07)
- ff.core exploit on Solaris (2.)7 Daniel J. Frasnelli (Jan 08)
- Re: ff.core exploit on Solaris (2.)7 Casper Dik (Jan 15)
- L0pht tmp tool and (mini) Advisory Dr. Mudge (Jan 08)
- ff.core exploit on Solaris (2.)7 Daniel J. Frasnelli (Jan 08)
- Re: Anonymous Qmail Denial of Service Antonomasia (Jan 07)
- Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 09)
- Re: Anonymous Qmail Denial of Service Wietse Venema (Jan 10)
- Keeping Solaris up-to-date John RIddoch (Jan 11)
- Keeping any up-to-date? Randolf-Heiko Skerka (Jan 13)
- Re: Keeping any up-to-date? Ciaran Deignan (Jan 15)
- Re: Keeping any up-to-date? Peter May (Jan 15)
- Administrivia Aleph One (Jan 12)
- Tracing by uid u after root does setuid(u) D. J. Bernstein (Jan 12)
- Re: Tracing by uid u after root does setuid(u) Wietse Venema (Jan 13)
- Re: Tracing by uid u after root does setuid(u) Casper Dik (Jan 13)
- Re: Tracing by uid u after root does setuid(u) James Mathiesen (Jan 15)