OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Fwd: Kaminsky redux - libspf2 dns parsing bug]

From: Andy Kosela (akoselaandykosela.com)
Date: Wed Oct 22 2008 - 03:37:33 CDT


Some of you probably already heard about this...
>From Kaminsky's http://www.doxpara.com/?p=1263

------

I really need to learn to leave DNS alone :)

DNS TXT Record Parsing Bug in LibSPF2
A relatively common bug parsing TXT records delivered over DNS, dating
at least back to 2002 in Sendmail 8.2.0 and almost certainly much
earlier, has been found in LibSPF2, a library frequently used to
retrieve SPF (Sender Policy Framework) records and apply policy
according to those records. This implementation flaw allows for
relatively flexible memory corruption, and should thus be treated as a
path to anonymous remote code execution. Of particular note is that
the remote code execution would occur on servers specifically designed
to receive E-Mail from the Internet, and that these systems may in
fact be high volume mail exchangers. This creates privacy
implications. It is also the case that a corrupted email server is a
useful "jumping off" point for attackers to corrupt desktop machines,
since attachments can be corrupted with malware while the containing
message stays intact. So there are internal security implications as
well, above and beyond corruption of the mail server on the DMZ.

Apparently LibSPF2 is actually used to secure quite a bit of mail
traffic there's a lot of SPAM out there. Fix is out, see
http://www.libspf2.org/index.html or your friendly neighborhood
distro. Thanks to Shevek, CERT (VU#183657), Ken Simpson of
MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for
their help with this.

------

--
Andy Kosela
ora et labora
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"