[Fwd: Kaminsky redux - libspf2 dns parsing bug]



Some of you probably already heard about this...
From Kaminsky's http://www.doxpara.com/?p=1263

------

I really need to learn to leave DNS alone :)

DNS TXT Record Parsing Bug in LibSPF2
A relatively common bug parsing TXT records delivered over DNS, dating
at least back to 2002 in Sendmail 8.2.0 and almost certainly much
earlier, has been found in LibSPF2, a library frequently used to
retrieve SPF (Sender Policy Framework) records and apply policy
according to those records. This implementation flaw allows for
relatively flexible memory corruption, and should thus be treated as a
path to anonymous remote code execution. Of particular note is that
the remote code execution would occur on servers specifically designed
to receive E-Mail from the Internet, and that these systems may in
fact be high volume mail exchangers. This creates privacy
implications. It is also the case that a corrupted email server is a
useful "jumping off" point for attackers to corrupt desktop machines,
since attachments can be corrupted with malware while the containing
message stays intact. So there are internal security implications as
well, above and beyond corruption of the mail server on the DMZ.

Apparently LibSPF2 is actually used to secure quite a bit of mail
traffic – there's a lot of SPAM out there. Fix is out, see
http://www.libspf2.org/index.html or your friendly neighborhood
distro. Thanks to Shevek, CERT (VU#183657), Ken Simpson of
MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for
their help with this.

------

--
Andy Kosela
ora et labora
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • [Fwd: Kaminsky redux - libspf2 dns parsing bug]
    ... DNS TXT Record Parsing Bug in LibSPF2 ... above and beyond corruption of the mail server on the DMZ. ...
    (FreeBSD-Security)
  • [Full-disclosure] DNS TXT Record Parsing Bug in LibSPF2
    ... DNS TXT Record Parsing Bug in LibSPF2 ... rdlen byte buffer. ...
    (Full-Disclosure)
  • Re: Windows DNS corrupted by Firefox
    ... corrupted windows ability to clear DNS. ... Anyway, regarding the local host cache (and it's not really the "DNS cache," which is a misnomer because it also uses HOSTS files as well, such as that if anything is in the hosts file, it will look at that first, cache it, then retrieve it. ... Now if you are flushing it and it works, that may indicate some sort of corruption in the cache or the DNS addresses being used have been compromised by the DNS exploit that an attacker can inject their own data into the DNS Server's cache, which is also referred to as cache poisoning. ... This disables the local host cache and forces each URL request to look them up as a request to the hosts file first, then the DNS server, and not cache the response. ...
    (microsoft.public.windows.server.dns)
  • Re: Windows DNS corrupted by Firefox
    ... but I was curious about your 'corruption' statement. ... Anyway, regarding the local host cache (and it's not really the "DNS cache," ...
    (microsoft.public.windows.server.dns)