Home > Security > No School Like The Old School

No School Like The Old School

I really need to learn to leave DNS alone 🙂

DNS TXT Record Parsing Bug in LibSPF2
A relatively common bug parsing TXT records delivered over DNS, dating at least back to 2002 in Sendmail 8.2.0 and almost certainly much earlier, has been found in LibSPF2, a library frequently used to retrieve SPF (Sender Policy Framework) records and apply policy according to those records.  This implementation flaw allows for relatively flexible memory corruption, and should thus be treated as a path to anonymous remote code execution.  Of particular note is that the remote code execution would occur on servers specifically designed to receive E-Mail from the Internet, and that these systems may in fact be high volume mail exchangers.  This creates privacy implications.  It is also the case that a corrupted email server is a useful “jumping off” point for attackers to corrupt desktop machines, since attachments can be corrupted with malware while the containing message stays intact.  So there are internal security implications as well, above and beyond corruption of the mail server on the DMZ.

Apparently LibSPF2 is actually used to secure quite a bit of mail traffic — there’s a lot of SPAM out there.  Fix is out, see http://www.libspf2.org/index.html or your friendly neighborhood distro.  Thanks to Shevek, CERT (VU#183657), Ken Simpson of MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for their help with this.

Edit:  Special thanks, incidentally, to Coverity, who upon hearing that there was one bug, ran their static analyzer on LibSPF2 and found six more.  Cool!

Categories: Security
  1. October 23, 2008 at 2:48 am

    I just thought I should tell you that there is upcoming DNSSEC support for DKIM-milter. DKIM-milter implements DKIM signing for outgoing e-mail, and now also using DNSSEC for looking up DKIM keys in DNS for validating DKIM signed e-mail.

    If you are eager to test it, you can find a patch here: http://opensource.iis.se/dkim/

    You can also wait for the upcoming 2.8.0 beta version which is due in a few weeks.

  2. J.F.
    December 23, 2008 at 11:55 am

    zzzzzzzzzzzzzz

    DNSSEC??!! Whoa, here it is practically at the end of 2008 … and ICANN said back in July that they were “prepared to digitally sign the root using DNSSEC technology by late 2008” 🙂 …

    http://www.icann.org/en/announcements/announcement-24jul08-en.htm

    OH … they didn’t? … 😦 …

    http://www.eweek.com/c/a/Security/Its-Time-to-Sign-the-Root-Zone-Already/

    zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

  3. January 3, 2009 at 4:12 am

    I just thought I should tell you that there is upcoming DNSSEC support for DKIM-milter.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: