Re: Anonymous Qmail Denial of Service

[djb () CR YP TO (D. J. Bernstein)]

Perry E. Metzger writes:
> You attacked Postfix for being subject to a DoS attack.

I pointed out that the IBM Secure Mailer allowed local users to

   * anonymously destroy messages accepted by the MTA from other users;
   * obtain traffic information that some sites consider private;
   * on some UNIX variants, charge mail to the wrong user; and
   * under specialized circumstances, steal unreadable files.

Which of these are you calling a ``denial-of-service attack,'' Perry?

I did mention, as part of the first two attacks, how to anonymously slow
down the IBM Secure Mailer drop-directory daemon by making many links in
the queue. (Other people pointed out bugs that let a user anonymously
force the daemon to exit.) But I didn't criticize the IBM Secure Mailer
for allowing this denial-of-service attack; I brought it up merely to
make clear that an attacker could easily win races with the daemon.

(Amusing historical note: On 12 June 1997, the IBM Secure Mailer author
publicly suggested that his MTA was immune to denial-of-service attacks.
Namely, after I said ``There are literally dozens of denial-of-service
attacks on all Internet mail systems, including Wietse's VaporMail,'' he
said ``You did not get a copy so you can't possibly know its resource
limiting features.'')

Anyway, Perry, you've also claimed in public that these security holes
are just my imagination; that they ``aren't real security issues''; and
that they ``were understood during the alpha test.'' Would you like to
explain these statements to the bugtraq readership?

ObSecurity: In the two weeks after my first public statement of these
security holes, the IBM Secure Mailer was changed in three ways:

   * The world-writable drop directory was made unreadable. The IBM
     Secure Mailer author called this a ``solution'' and claimed that
     inode numbers offer 15 bits of randomness. In fact, on almost all
     UNIX systems today, inode numbers are trivially predictable. This
     is security through obscurity.

   * Multiply linked files were delivered rather than removed. The only
     effect of this change is that ``anonymously destroy messages'' is
     now ``anonymously duplicate messages.'' Much less frightening, of
     course; but the drop directory still isn't secure.

   * The world-writable drop directory was _optionally_ replaced by a
     setgid program writing to a group-writable directory. This is a
     real solution, if the setgid program is secure. But---perhaps
     because of religious views about multiple-process inefficiency and
     setuid/setgid insecurity---this isn't the default!

The bottom line is that the IBM Secure Mailer remains insecure. IBM
still hasn't put any security alerts on the IBM Secure Mailer download
pages; they merely mention that the latest update fixes ``one directory
permission mistake.'' Do they not understand that they're practically
begging the security community to publish exploit scripts?

``Postfix is still in beta,'' some people respond. So what? IBM engaged
in a massive press campaign to advertise this software. They said that
sendmail had ``nasty bugs'' that did ``dumb things'' such as ``delete
files.'' They encouraged people to download and install the IBM Secure
Mailer instead. They didn't say ``By the way, it's still in beta test,
and so we aren't taking security seriously.''

---Dan