[ga] New DNS vulnrability: LibSPF2 DNS TXT Record Handling Buffer Overflow

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

All,

  Seems ISC and the SSAC missed this one.  Oh well, not
surprising...  They are spam enablers anyway.  Not very good
service for organizations that purport to be serving the public
good, IMO.  I guess ISC and the SSAC's version of good
public service is "Let them eat cake"?  Or is it while slopping at
the troff, "where's my lipstick, I want to at least look good?"
Or maybe they were again busy enguaging in self agrendizement
updating their wikipedia entries?  George, got another update
for us on that possibility?

See:

libspf2 versions prior to 1.2.8
Description: SPF is the Sender Policy Framework (formerly "Sender
Permitted From"). SPF is a mechanism to help prevent unauthorized or
undesired email messages ("spam") by indicating from what servers a
domain can send email. Receiving mail servers can check SPF records
exported via DNS records to determine if a server sending email from a
domain is legitimately doing so. LibSPF2 is a popular implementation of
the SPF protocol and is used by a variety of mail and DNS products. It
contains a buffer overflow in its processing of SPF records exported
from
DNS. A specially crafted SPF record could trigger this vulnerability. In

most common scenarios, an attacker could exploit this vulnerability by
simply sending an email message to a sever known to check SPF records.;
therefore no user interaction is required. Successfully exploiting this
vulnerability would allow an attacker to execute arbitrary code with the

privileges of the vulnerable process, often a high-privilege account.
Full technical details and a proof-of-concept are publicly available for

this vulnerability.
Status: Vendor confirmed, updates available.
References:
Proof-of-Concept
http://downloads.securityfocus.com/vulnerabilities/exploits/31881.pl
Documentation by Dan Kaminsky
http://www.doxpara.com/?page_id=1256
Vendor Home Page
http://www.libspf2.org/index.html
SecurityFocus BID
http://www.securityfocus.com/bid/31881

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827