Signature Detail

DNS: DNS TXT Record Handling Remote Buffer Overflow (1)

This signature detects attempts to exploit a known vulnerability in SPF Library Project libspf2. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the Root system level. This signature should only be used to protect DNS servers under your control, and not for the Internet in general. This detects DNS TXT records 200 bytes or longer, which is common on the Internet. This library was used primarily in Debian 4.0 and was fixed in libspf2 version 1.2.8, released in mid-September, 2008. If you do not have a vulnerable version of libspf2, it is not recommended to use this signature, as it can false-positive on normal, non-malicious Internet traffic.

Extended Description

Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv.c in libspf2 before 1.2.8 allows remote attackers to execute arbitrary code via a long DNS TXT record with a modified length field.

Affected Products

• Libspf libspf2 1.0.2
• Libspf libspf2 1.0.3
• Libspf libspf2 1.0.4
• Libspf libspf2 1.2.1
• Libspf libspf2 1.2.3
• Libspf libspf2 1.2.4
• Libspf libspf2 1.2.5
• Libspf libspf2 1.2.6
• Libspf libspf2 1.2.7

References

• BugTraq: 31881
• CVE: CVE-2008-2469
• CVE: CVE-2012-5671
• URL: http://www.doxpara.com/?page_id=1256