首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
漏洞公告 :: 最新漏洞公告

libspf2 DNS TXT记录处理堆溢出漏洞


http://www.gipsky.com/
libspf2 DNS TXT记录处理堆溢出漏洞

发布日期:2008-10-21

更新日期:2008-10-27



受影响系统:



Wayne Schlitt libspf2 <1.2.8



不受影响系统:



Wayne Schlitt libspf2 1.2.8



描述:BUGTRAQ ID: 31881

CVE(CAN) ID: CVE-2008-2469



libspf2是用于实现Sender Policy Framework的库,允许邮件系统检查SPF记录并确认邮件已经过域名授权。







libspf2库的Spf_dns_resolv.c文件中的SPF_dns_resolv_lookup函数存在堆溢出漏洞,如果用户解析了带有特制长度字段的超长DNS TXT记录的话,就可能触发这个溢出,导致执行任意代码。







DNS TXT记录中包含有两个长度字段,首先是记录的整体长度字段,其次是范围为0到255的子长度字段,用于描述记录中特定字符串的长度。这两个值之间没有任何联系,DNS服务器也没有强制任何过滤检查。在接收到DNS TXT记录时,外部的记录长度值是所要分配的内存数量,但拷贝的是内部的长度,这就可能会触发溢出。







以下是LibSPF2中的漏洞代码段:







Spf_dns_resolv.c#SPF_dns_resolv_lookup():







case ns_t_txt:



if ( rdlen > 1 )



{



u_char *src, *dst;



size_t len;







if ( SPF_dns_rr_buf_realloc( spfrr, cnt, rdlen ) != SPF_E_SUCCESS ) // allocate rdlen bytes at spf->rr[cn]->txt



return spfrr;







dst = spfrr->rr[cnt]->txt;



len = 0;



src = (u_char *)rdata;



while ( rdlen > 0 )



{



len = *src; // get a second length from the attacker controlled datastream ? some value from 0 to 255, unbound to rdlen



src++;



memcpy( dst, src, len ); // copy that second length to rdlen byte buffer.



dst += len;



src += len;



rdlen -= len + 1;



}



*dst = ‘\0′;



<*来源:Dan Kaminsky



链接:http://www.doxpara.com/?page_id=1256

http://bugs.gentoo.org/show_bug.cgi?f ... =multiple%26amp;id=242254

http://www.debian.org/security/2008/dsa-1659

*>



测试方法:<font color='#FF0000'><p align='center'>警 告



以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!</p></font>http://www.milw0rm.com/exploits/6805



建议:厂商补丁:



Debian

------

Debian已经为此发布了一个安全公告(DSA-1659-1)以及相应补丁:



DSA-1659-1:New libspf2 packages fix potential remote code execution



链接:http://www.debian.org/security/2008/dsa-1659







补丁下载:







Source archives:







http://security.debian.org/pool/updat ... libspf2_1.2.5.orig.tar.gz



Size/MD5 checksum: 518107 5e81bbc41c1394e466eb06dd514f97d7



http://security.debian.org/pool/updat ... libspf2_1.2.5-4+etch1.dsc



Size/MD5 checksum: 618 d7f758e290960445754d76595dd14a6b



http://security.debian.org/pool/updat ... pf2_1.2.5-4+etch1.diff.gz



Size/MD5 checksum: 15086 d93480ad8a520e40d2f7aa5622c350bb







alpha architecture (DEC Alpha)







http://security.debian.org/pool/updat ... 2_1.2.5-4+etch1_alpha.deb



Size/MD5 checksum: 58480 8a6fafec1a9e27c32e8c3545673ae64e



http://security.debian.org/pool/updat ... y_1.2.5-4+etch1_alpha.deb



Size/MD5 checksum: 21638 a5dbe0b61a0913d6e352aba1e10bc21a



http://security.debian.org/pool/updat ... v_1.2.5-4+etch1_alpha.deb



Size/MD5 checksum: 94420 68a4b698b96bea705889da070034e739







amd64 architecture (AMD x86_64 (AMD64))







http://security.debian.org/pool/updat ... 2_1.2.5-4+etch1_amd64.deb



Size/MD5 checksum: 54420 c5d934e0674fe954c9a2fc4a37fcabf6



http://security.debian.org/pool/updat ... v_1.2.5-4+etch1_amd64.deb



Size/MD5 checksum: 77296 5f93e9d3dedd674339dcafe2d2227d94



http://security.debian.org/pool/updat ... y_1.2.5-4+etch1_amd64.deb



Size/MD5 checksum: 20714 ac938c60372fae2b580f93f9aa9fc617







arm architecture (ARM)







http://security.debian.org/pool/updat ... 2-2_1.2.5-4+etch1_arm.deb



Size/MD5 checksum: 49590 ddf2d07c5b4e7cf2092b34e615b795bb



http://security.debian.org/pool/updat ... ery_1.2.5-4+etch1_arm.deb



Size/MD5 checksum: 19686 c08f86305ba1af22cd47b77ab220cd31



http://security.debian.org/pool/updat ... dev_1.2.5-4+etch1_arm.deb



Size/MD5 checksum: 69614 98d710d66a462fa3d29f45764d055e70







hppa architecture (HP PA RISC)







http://security.debian.org/pool/updat ... -2_1.2.5-4+etch1_hppa.deb



Size/MD5 checksum: 55920 f20a075769b29a4265f6272f629accd2



http://security.debian.org/pool/updat ... ry_1.2.5-4+etch1_hppa.deb



Size/MD5 checksum: 20900 20282048aa118078480fe82c4ef0d4ab



http://security.debian.org/pool/updat ... ev_1.2.5-4+etch1_hppa.deb



Size/MD5 checksum: 82492 a791b2a33f2a62da7dfbfa5abf89a5e2







i386 architecture (Intel ia32)







http://security.debian.org/pool/updat ... ry_1.2.5-4+etch1_i386.deb



Size/MD5 checksum: 20016 d4a5f4f8946431c3f005afef02d77b50



http://security.debian.org/pool/updat ... ev_1.2.5-4+etch1_i386.deb



Size/MD5 checksum: 71986 1631211512ce5efa9c65a493e5057a1d



http://security.debian.org/pool/updat ... -2_1.2.5-4+etch1_i386.deb



Size/MD5 checksum: 51338 442bf4a790e6d019ac0347f23c5c6261







ia64 architecture (Intel ia64)







http://security.debian.org/pool/updat ... -2_1.2.5-4+etch1_ia64.deb



Size/MD5 checksum: 69090 d1c4ae22765a0e1a76ecff237e6a3d07



http://security.debian.org/pool/updat ... ry_1.2.5-4+etch1_ia64.deb



Size/MD5 checksum: 25436 958e093744c1346c8d3dd892f21eae3c



http://security.debian.org/pool/updat ... ev_1.2.5-4+etch1_ia64.deb



Size/MD5 checksum: 98240 b120aed22d59d06065cf0a50210587fa







mipsel architecture (MIPS (Little Endian))







http://security.debian.org/pool/updat ... _1.2.5-4+etch1_mipsel.deb



Size/MD5 checksum: 20012 0a435fb1e50a6453ee28c9f6d82b261c



http://security.debian.org/pool/updat ... _1.2.5-4+etch1_mipsel.deb



Size/MD5 checksum: 50382 3ee99a4143a7b8bf4a4f64b66bb75783



http://security.debian.org/pool/updat ... _1.2.5-4+etch1_mipsel.deb



Size/MD5 checksum: 81984 49611db8926324ba12a0827981e13de7







powerpc architecture (PowerPC)







http://security.debian.org/pool/updat ... 1.2.5-4+etch1_powerpc.deb



Size/MD5 checksum: 78872 4da7bfd68eea0826569173888d247908



http://security.debian.org/pool/updat ... 1.2.5-4+etch1_powerpc.deb



Size/MD5 checksum: 23486 fb3f2d541f6635c50f4053f95022ea6c



http://security.debian.org/pool/updat ... 1.2.5-4+etch1_powerpc.deb



Size/MD5 checksum: 53426 dcd7b8835c7ad6087d7a5654656b6917







s390 architecture (IBM S/390)







http://security.debian.org/pool/updat ... -2_1.2.5-4+etch1_s390.deb



Size/MD5 checksum: 54666 f0ebb010161d40c2b76f1d99db88f0be



http://security.debian.org/pool/updat ... ry_1.2.5-4+etch1_s390.deb



Size/MD5 checksum: 20580 41c4ec7139349a449b7d0abc56eb6778



http://security.debian.org/pool/updat ... ev_1.2.5-4+etch1_s390.deb



Size/MD5 checksum: 77086 eb6e7ca0f8516f82d695d3655fcd3c3b







sparc architecture (Sun SPARC/UltraSPARC)







http://security.debian.org/pool/updat ... y_1.2.5-4+etch1_sparc.deb



Size/MD5 checksum: 19662 4cd9803e1e7aa0963ba149ae17cb22a6



http://security.debian.org/pool/updat ... v_1.2.5-4+etch1_sparc.deb



Size/MD5 checksum: 71830 b2001b910ceb4390ad427660ea8135b7



http://security.debian.org/pool/updat ... 2_1.2.5-4+etch1_sparc.deb



Size/MD5 checksum: 49884 5efdeefe2a79ed210776647dd5a4e951







补丁安装方法:







1. 手工安装补丁包:







首先,使用下面的命令来下载补丁软件:



# wget url (url是补丁下载链接地址)







然后,使用下面的命令来安装补丁:



# dpkg -i file.deb (file是相应的补丁名)







2. 使用apt-get自动安装补丁包:







首先,使用下面的命令更新内部数据库:



# apt-get update







然后,使用下面的命令安装更新软件包:



# apt-get upgrade



Wayne Schlitt

-------------

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:







http://www.libspf2.org/spf/libspf2-1.2.8.tar.gz
<< VImpX.ocx ActiveX控件多个文件破坏漏洞 eCryptfs工具ecryptfs-setup-private口令泄露漏洞 >>
评分
10987654321
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号