On Fri, Apr 26, 2013 at 01:49:10PM +0200, Vincent Lefevre wrote: > On 2013-04-25 23:57:24 -0500, Derek Martin wrote: > > I'm sorry Vincent but you're wrong. The header gets added, it's the > > same in both the target and attacker's copies. > > Wrong. This is not what I can see.
Well then you don't have a clue. Let me spell it out for you: Script started on Fri 26 Apr 2013 10:08:08 AM CDT $ ls -l /var/spool/mail total 0 -rw------- 1 ddm mail 0 Apr 26 10:04 ddm $ sudo useradd test1 $ sudo useradd test2 $ sudo useradd attacker $ telnet mail.mydomain.SANITIZED 25 Trying SANITIZED_IP... Connected to mail.mydomain.SANITIZED. Escape character is '^]'. 220 SANITIZED ESMTP Sendmail 8.13.8/8.13.8; Fri, 26 Apr 2013 10:09:04 -0500 ehlo pizzashack.org 250-SANITIZED Hello SANITIZED [SANITIZED_IP], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP mail from: attacker 553 5.5.4 attacker... Domain name required for sender address attacker mail from: [email protected] 250 2.1.0 [email protected]... Sender ok rcpt to: test1 250 2.1.5 test1... Recipient ok rcpt to: test2 250 2.1.5 test2... Recipient ok rcpt to: attacker 250 2.1.5 attacker... Recipient ok data 354 Enter mail, end with "." on a line by itself From: [email protected] To: test1, test2, attacker Subject: hi! test . 250 2.0.0 r3QF946I031914 Message accepted for delivery quit 221 2.0.0 SANITIZED closing connection 250 2.0.0 r3QF946I031914 Message accepted for delivery quit 221 2.0.0 SANITIZED closing connection Connection closed by foreign host. $ sudo md5sum /var/spool/mail/* aa3c292a25e61fdb736a3507f8b75bc9 /var/spool/mail/attacker d41d8cd98f00b204e9800998ecf8427e /var/spool/mail/ddm aa3c292a25e61fdb736a3507f8b75bc9 /var/spool/mail/test1 aa3c292a25e61fdb736a3507f8b75bc9 /var/spool/mail/test2 $ sudo cat /var/spool/mail/attacker [sudo] password for ddm: From [email protected] Fri Apr 26 10:10:49 2013 Return-Path: <[email protected]> Received: from pizzashack.org (SANITIZED [SANITIZED_IP]) by SANITIZED (8.13.8/8.13.8) with ESMTP id r3QF946I031914; Fri, 26 Apr 2013 10:09:50 -0500 Date: Fri, 26 Apr 2013 10:09:04 -0500 Message-Id: <201304261509.r3QF946I031914@SANITIZED> From: [email protected] To: test1@SANITIZED, test2@SANITIZED, attacker@SANITIZED Subject: hi! test $ exit Script done on Fri 26 Apr 2013 10:11:25 AM CDT YOU ARE WRONG. This is a trivial attack. If you're unable to see that at this point, no one can possibly help you. > > The whole point of this subthread is that choosing not to rely on > > the system-provided library routines is folly. You can't provide > > anything better portably--your system libraries will already use the > > best source of randomness available to them. > > Of course one can: just add randomness to what the system libraries > provided. You can't. You can't be trusted to get it right. You've just provent that. > In particular, mkstemp() will just provide a unique > filename, without a suffix. The unique filename may be predictable > (the spec doesn't require that it shouldn't be). But the security community does. No one does this anymore, unless their system is incapable of providing adequate randomness. The system libraries already implement the best possible hope you have of getting this right. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
pgpDveyjcoC4Y.pgp
Description: PGP signature
