Date: Sat, 9 Jan 1999 22:12:31 -0000
From: "D. J. Bernstein" <djb@CR.YP.TO>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Anonymous Qmail Denial of Service
Perry E. Metzger writes:
> You attacked Postfix for being subject to a DoS attack.
I pointed out that the IBM Secure Mailer allowed local users to
* anonymously destroy messages accepted by the MTA from other users;
* obtain traffic information that some sites consider private;
* on some UNIX variants, charge mail to the wrong user; and
* under specialized circumstances, steal unreadable files.
Which of these are you calling a ``denial-of-service attack,'' Perry?
I did mention, as part of the first two attacks, how to anonymously slow
down the IBM Secure Mailer drop-directory daemon by making many links in
the queue. (Other people pointed out bugs that let a user anonymously
force the daemon to exit.) But I didn't criticize the IBM Secure Mailer
for allowing this denial-of-service attack; I brought it up merely to
make clear that an attacker could easily win races with the daemon.
(Amusing historical note: On 12 June 1997, the IBM Secure Mailer author
publicly suggested that his MTA was immune to denial-of-service attacks.
Namely, after I said ``There are literally dozens of denial-of-service
attacks on all Internet mail systems, including Wietse's VaporMail,'' he
said ``You did not get a copy so you can't possibly know its resource
limiting features.'')
Anyway, Perry, you've also claimed in public that these security holes
are just my imagination; that they ``aren't real security issues''; and
that they ``were understood during the alpha test.'' Would you like to
explain these statements to the bugtraq readership?
ObSecurity: In the two weeks after my first public statement of these
security holes, the IBM Secure Mailer was changed in three ways:
* The world-writable drop directory was made unreadable. The IBM
Secure Mailer author called this a ``solution'' and claimed that
inode numbers offer 15 bits of randomness. In fact, on almost all
UNIX systems today, inode numbers are trivially predictable. This
is security through obscurity.
* Multiply linked files were delivered rather than removed. The only
effect of this change is that ``anonymously destroy messages'' is
now ``anonymously duplicate messages.'' Much less frightening, of
course; but the drop directory still isn't secure.
* The world-writable drop directory was _optionally_ replaced by a
setgid program writing to a group-writable directory. This is a
real solution, if the setgid program is secure. But---perhaps
because of religious views about multiple-process inefficiency and
setuid/setgid insecurity---this isn't the default!
The bottom line is that the IBM Secure Mailer remains insecure. IBM
still hasn't put any security alerts on the IBM Secure Mailer download
pages; they merely mention that the latest update fixes ``one directory
permission mistake.'' Do they not understand that they're practically
begging the security community to publish exploit scripts?
``Postfix is still in beta,'' some people respond. So what? IBM engaged
in a massive press campaign to advertise this software. They said that
sendmail had ``nasty bugs'' that did ``dumb things'' such as ``delete
files.'' They encouraged people to download and install the IBM Secure
Mailer instead. They didn't say ``By the way, it's still in beta test,
and so we aren't taking security seriously.''
---Dan
