发布日期：2008-10-21
更新日期：2008-10-27

受影响系统：

Wayne Schlitt libspf2 <1.2.8

不受影响系统：

Wayne Schlitt libspf2 1.2.8

描述：

---

BUGTRAQ  ID: 31881
CVE(CAN) ID: CVE-2008-2469

libspf2是用于实现Sender Policy Framework的库，允许邮件系统检查SPF记录并确认邮件已经过域名授权。

libspf2库的Spf_dns_resolv.c文件中的SPF_dns_resolv_lookup函数存在堆溢出漏洞，如果用户解析了带有特制长度字段的超长DNS TXT记录的话，就可能触发这个溢出，导致执行任意代码。

DNS TXT记录中包含有两个长度字段，首先是记录的整体长度字段，其次是范围为0到255的子长度字段，用于描述记录中特定字符串的长度。这两个值之间没有任何联系，DNS服务器也没有强制任何过滤检查。在接收到DNS TXT记录时，外部的记录长度值是所要分配的内存数量，但拷贝的是内部的长度，这就可能会触发溢出。

以下是LibSPF2中的漏洞代码段：

Spf_dns_resolv.c#SPF_dns_resolv_lookup():

           case ns_t_txt:
           if ( rdlen > 1 )
           {
               u_char *src, *dst;
               size_t len;

               if ( SPF_dns_rr_buf_realloc( spfrr, cnt, rdlen ) != SPF_E_SUCCESS ) // allocate rdlen bytes at spf->rr[cn]->txt
               return spfrr;

               dst = spfrr->rr[cnt]->txt;
               len = 0;
               src = (u_char *)rdata;
               while ( rdlen > 0 )
               {
               len = *src; // get a second length from the attacker controlled datastream — some value from 0 to 255, unbound to rdlen
               src++;
               memcpy( dst, src, len ); // copy that second length to rdlen byte buffer.
               dst += len;
               src += len;
               rdlen -= len + 1;
               }
               *dst = ‘\0′;

<*来源：Dan Kaminsky
  
  链接：http://www.doxpara.com/?page_id=1256
        http://bugs.gentoo.org/show_bug.cgi?format=multiple&id=242254
        http://www.debian.org/security/2008/dsa-1659
        http://security.gentoo.org/glsa/glsa-200810-03.xml
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

http://www.milw0rm.com/exploits/6805

建议：

---

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-1659-1）以及相应补丁:
DSA-1659-1：New libspf2 packages fix potential remote code execution
链接：http://www.debian.org/security/2008/dsa-1659

补丁下载：

Source archives:

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5.orig.tar.gz
Size/MD5 checksum:   518107 5e81bbc41c1394e466eb06dd514f97d7
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5-4+etch1.dsc
Size/MD5 checksum:      618 d7f758e290960445754d76595dd14a6b
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5-4+etch1.diff.gz
Size/MD5 checksum:    15086 d93480ad8a520e40d2f7aa5622c350bb

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_alpha.deb
Size/MD5 checksum:    58480 8a6fafec1a9e27c32e8c3545673ae64e
http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_alpha.deb
Size/MD5 checksum:    21638 a5dbe0b61a0913d6e352aba1e10bc21a
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_alpha.deb
Size/MD5 checksum:    94420 68a4b698b96bea705889da070034e739

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_amd64.deb
Size/MD5 checksum:    54420 c5d934e0674fe954c9a2fc4a37fcabf6
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_amd64.deb
Size/MD5 checksum:    77296 5f93e9d3dedd674339dcafe2d2227d94
http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_amd64.deb
Size/MD5 checksum:    20714 ac938c60372fae2b580f93f9aa9fc617

arm architecture (ARM)

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_arm.deb
Size/MD5 checksum:    49590 ddf2d07c5b4e7cf2092b34e615b795bb
http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_arm.deb
Size/MD5 checksum:    19686 c08f86305ba1af22cd47b77ab220cd31
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_arm.deb
Size/MD5 checksum:    69614 98d710d66a462fa3d29f45764d055e70

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_hppa.deb
Size/MD5 checksum:    55920 f20a075769b29a4265f6272f629accd2
http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_hppa.deb
Size/MD5 checksum:    20900 20282048aa118078480fe82c4ef0d4ab
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_hppa.deb
Size/MD5 checksum:    82492 a791b2a33f2a62da7dfbfa5abf89a5e2

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_i386.deb
Size/MD5 checksum:    20016 d4a5f4f8946431c3f005afef02d77b50
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_i386.deb
Size/MD5 checksum:    71986 1631211512ce5efa9c65a493e5057a1d
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_i386.deb
Size/MD5 checksum:    51338 442bf4a790e6d019ac0347f23c5c6261

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_ia64.deb
Size/MD5 checksum:    69090 d1c4ae22765a0e1a76ecff237e6a3d07
http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_ia64.deb
Size/MD5 checksum:    25436 958e093744c1346c8d3dd892f21eae3c
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_ia64.deb
Size/MD5 checksum:    98240 b120aed22d59d06065cf0a50210587fa

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_mipsel.deb
Size/MD5 checksum:    20012 0a435fb1e50a6453ee28c9f6d82b261c
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_mipsel.deb
Size/MD5 checksum:    50382 3ee99a4143a7b8bf4a4f64b66bb75783
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_mipsel.deb
Size/MD5 checksum:    81984 49611db8926324ba12a0827981e13de7

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_powerpc.deb
Size/MD5 checksum:    78872 4da7bfd68eea0826569173888d247908
http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_powerpc.deb
Size/MD5 checksum:    23486 fb3f2d541f6635c50f4053f95022ea6c
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_powerpc.deb
Size/MD5 checksum:    53426 dcd7b8835c7ad6087d7a5654656b6917

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_s390.deb
Size/MD5 checksum:    54666 f0ebb010161d40c2b76f1d99db88f0be
http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_s390.deb
Size/MD5 checksum:    20580 41c4ec7139349a449b7d0abc56eb6778
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_s390.deb
Size/MD5 checksum:    77086 eb6e7ca0f8516f82d695d3655fcd3c3b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_sparc.deb
Size/MD5 checksum:    19662 4cd9803e1e7aa0963ba149ae17cb22a6
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_sparc.deb
Size/MD5 checksum:    71830 b2001b910ceb4390ad427660ea8135b7
http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_sparc.deb
Size/MD5 checksum:    49884 5efdeefe2a79ed210776647dd5a4e951

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update
  
   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

Gentoo
------
Gentoo已经为此发布了一个安全公告（GLSA-200810-03）以及相应补丁:
GLSA-200810-03：libspf2: DNS response buffer overflow
链接：http://security.gentoo.org/glsa/glsa-200810-03.xml

所有libspf2用户都应升级到最新版本：

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-filter/libspf2-1.2.8"

Wayne Schlitt
-------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.libspf2.org/spf/libspf2-1.2.8.tar.gz

浏览次数：3511
严重程度：0（网友投票）