To: bugtraq@netspace.org Subject: Re: Anonymous Qmail Denial of Service Perry E. Metzger writes: > You attacked Postfix for being subject to a DoS attack. I pointed out that the IBM Secure Mailer allowed local users to * anonymously destroy messages accepted by the MTA from other users; * obtain traffic information that some sites consider private; * on some UNIX variants, charge mail to the wrong user; and * under specialized circumstances, steal unreadable files. Which of these are you calling a ``denial-of-service attack,'' Perry? I did mention, as part of the first two attacks, how to anonymously slow down the IBM Secure Mailer drop-directory daemon by making many links in the queue. (Other people pointed out bugs that let a user anonymously force the daemon to exit.) But I didn't criticize the IBM Secure Mailer for allowing this denial-of-service attack; I brought it up merely to make clear that an attacker could easily win races with the daemon. (Amusing historical note: On 12 June 1997, the IBM Secure Mailer author publicly suggested that his MTA was immune to denial-of-service attacks. Namely, after I said ``There are literally dozens of denial-of-service attacks on all Internet mail systems, including Wietse's VaporMail,'' he said ``You did not get a copy so you can't possibly know its resource limiting features.'') Anyway, Perry, you've also claimed in public that these security holes are just my imagination; that they ``aren't real security issues''; and that they ``were understood during the alpha test.'' Would you like to explain these statements to the bugtraq readership? ObSecurity: In the two weeks after my first public statement of these security holes, the IBM Secure Mailer was changed in three ways: * The world-writable drop directory was made unreadable. The IBM Secure Mailer author called this a ``solution'' and claimed that inode numbers offer 15 bits of randomness. In fact, on almost all UNIX systems today, inode numbers are trivially predictable. This is security through obscurity. * Multiply linked files were delivered rather than removed. The only effect of this change is that ``anonymously destroy messages'' is now ``anonymously duplicate messages.'' Much less frightening, of course; but the drop directory still isn't secure. * The world-writable drop directory was _optionally_ replaced by a setgid program writing to a group-writable directory. This is a real solution, if the setgid program is secure. But---perhaps because of religious views about multiple-process inefficiency and setuid/setgid insecurity---this isn't the default! The bottom line is that the IBM Secure Mailer remains insecure. IBM still hasn't put any security alerts on the IBM Secure Mailer download pages; they merely mention that the latest update fixes ``one directory permission mistake.'' Do they not understand that they're practically begging the security community to publish exploit scripts? ``Postfix is still in beta,'' some people respond. So what? IBM engaged in a massive press campaign to advertise this software. They said that sendmail had ``nasty bugs'' that did ``dumb things'' such as ``delete files.'' They encouraged people to download and install the IBM Secure Mailer instead. They didn't say ``By the way, it's still in beta test, and so we aren't taking security seriously.'' ---Dan