Thursday, May 21, 2020 [Tweets] [Favorites]

Remote Code Execution in qmail

Qualys (via Marcel Weiher, Matthew Garrett, Hacker News):

Surprisingly, we re-discovered these vulnerabilities during a recent qmail audit; they have never been fixed because, as stated by qmail’s author Daniel J. Bernstein:

This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.

Indeed, the memory consumption of each qmail-smtpd process is severely limited by default (by qmail-smtpd’s startup script); for example, on Debian 10 (the latest stable release), it is limited to roughly 7MB.

Unfortunately, we discovered that these vulnerabilities also affect qmail-local, which is reachable remotely and is not memory-limited by default[…]

See also: Some thoughts on security after ten years of qmail 1.0 (PDF).

3 Comments

So, instead of fixing the vulnerability, Bernstein would rather have a meta discussion over “that shouldn’t happen anyway, and if it does, I have an undocumented way of working around it”. Such discussions are common, I’ve found, with inexperienced devs, but they’re unprofessional.

The fix, it appears, is five simple lines of C.

unsigned int m = n;
if ((n = ALIGNMENT + n - (n & (ALIGNMENT - 1))) < m) { /* XXX: handle overflow */
    errno = error_nomem;
    return 0;
}

I stopped taking Bernstein seriously in 2005 when he wrote that response. I mean, his track record is great, but arrogance and security do not mix, as we have once more demonstrated, albeit 15 years later.

qmail was also stunted, and unable to adapt to the modern standards of email security, by his bull-headed insistence that qmail was already perfect. But it wasn't, because no one can run *just* qmail and have a modern email system. You You have to extend it in numerous ways, and every one of those extensions are potential exploit targets. But DJB can claim that it's not his fault, because the core is still secure. Or *was* secure.

If it "can’t" happen, add an assertion anyway. It doesn’t hurt, and I’m the worst case it will crash instead of being undefined.

But I suppose this is a psychological problem. All soon as "x years without a security flaw" becomes a thing you care about, you’re discouraging yourself from accepting and fixing mistakes (because it would break your streak).

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment