CVE-2008-2469
published 2008-10-23CVE-2008-2469: Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv.c in libspf2 before 1.2.8 allows remote attackers to execute arbitrary code…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
22.25%
97.4th percentile
Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv.c in libspf2 before 1.2.8 allows remote attackers to execute arbitrary code via a long DNS TXT record with a modified length field.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libspf2 | < libspf2 1.2.9-1 (bookworm) | libspf2 1.2.9-1 (bookworm) |
| libspf | libspf2 | <= 1.2.7 | — |
| libspf | libspf2 | — | — |
| libspf | libspf2 | — | — |
| libspf | libspf2 | — | — |
| libspf | libspf2 | — | — |
| libspf | libspf2 | — | — |
| libspf | libspf2 | — | — |
| libspf | libspf2 | — | — |
| libspf | libspf2 | — | — |
| libspf2 | libspf2 | >= 0 < 1.2.9-1 | 1.2.9-1 |
| libspf2 | libspf2 | >= 0 < 1.2.9-1 | 1.2.9-1 |
| libspf2 | libspf2 | >= 0 < 1.2.9-1 | 1.2.9-1 |
| libspf2 | libspf2 | >= 0 < 1.2.9-1 | 1.2.9-1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
substr($newans, 44, 1, pack('c',0xff))- →Alert on DNS TXT responses containing a string-length prefix byte (0xFF) that exceeds the actual allocated buffer size (e.g., writing 255 bytes to a 15-byte buffer), as this is the direct trigger for the heap overflow in libspf2's SPF_dns_resolv_lookup. ↗
- →Monitor for DNS TXT responses to SPF queries where the inner string-length byte (second length field in the rdata stream) is not bounded by the outer rdlen field — specifically where `len = *src` yields a value larger than the remaining rdlen, indicating exploitation of the unbounded memcpy in Spf_dns_resolv.c. ↗
- →Flag DNS TXT responses for SPF-queried domains that include two TXT records: one legitimate 'v=spf1 mx +all' record and one anomalously long all-ASCII payload record (~233+ bytes), as this is the attack pattern used in the PoC. ↗
- ·The vulnerability only affects libspf2 versions before 1.2.8; systems running 1.2.8 or later (e.g., Debian-packaged 1.2.9-1) are not affected. ↗
- ·The attack is delivered via a rogue/attacker-controlled DNS server responding to SPF TXT lookups; the victim system must be querying DNS for SPF records (e.g., during mail processing) to be exposed. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jc7w-hj86-2rr5: Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv
ghsa_unreviewed·2022-05-01
CVE-2008-2469 [HIGH] CWE-119 GHSA-jc7w-hj86-2rr5: Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv
Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv.c in libspf2 before 1.2.8 allows remote attackers to execute arbitrary code via a long DNS TXT record with a modified length field.
OSV
CVE-2008-2469: Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv
osv·2008-10-23·CVSS 10.0
CVE-2008-2469 [CRITICAL] CVE-2008-2469: Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv
Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv.c in libspf2 before 1.2.8 allows remote attackers to execute arbitrary code via a long DNS TXT record with a modified length field.
Debian
CVE-2008-2469: libspf2 - Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_reso...
vendor_debian·2008·CVSS 10.0
CVE-2008-2469 [CRITICAL] CVE-2008-2469: libspf2 - Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_reso...
Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv.c in libspf2 before 1.2.8 allows remote attackers to execute arbitrary code via a long DNS TXT record with a modified length field.
Scope: local
bookworm: resolved (fixed in 1.2.9-1)
bullseye: resolved (fixed in 1.2.9-1)
forky: resolved (fixed in 1.2.9-1)
sid: resolved (fixed in 1.2.9-1)
trixie: resolved (fixed in 1.2.9-1)
No detection rules found.
No writeups or analysis indexed.
http://bugs.gentoo.org/show_bug.cgi?format=multiple&id=242254http://secunia.com/advisories/32396http://secunia.com/advisories/32450http://secunia.com/advisories/32496http://secunia.com/advisories/32720http://security.gentoo.org/glsa/glsa-200810-03.xmlhttp://securityreason.com/securityalert/4487http://up2date.astaro.com/2008/11/up2date_7305_released.htmlhttp://www.debian.org/security/2008/dsa-1659http://www.doxpara.com/?p=1263http://www.doxpara.com/?page_id=1256http://www.kb.cert.org/vuls/id/183657http://www.securityfocus.com/bid/31881http://www.vupen.com/english/advisories/2008/2896https://answers.launchpad.net/ubuntu/gutsy/+source/libspf2/1.2.5.dfsg-4ubuntu0.7.10.1https://bugs.launchpad.net/ubuntu/feisty/+source/libspf2/+bug/271025https://exchange.xforce.ibmcloud.com/vulnerabilities/46055https://www.exploit-db.com/exploits/6805http://bugs.gentoo.org/show_bug.cgi?format=multiple&id=242254http://secunia.com/advisories/32396http://secunia.com/advisories/32450http://secunia.com/advisories/32496http://secunia.com/advisories/32720http://security.gentoo.org/glsa/glsa-200810-03.xmlhttp://securityreason.com/securityalert/4487http://up2date.astaro.com/2008/11/up2date_7305_released.htmlhttp://www.debian.org/security/2008/dsa-1659http://www.doxpara.com/?p=1263http://www.doxpara.com/?page_id=1256http://www.kb.cert.org/vuls/id/183657http://www.securityfocus.com/bid/31881http://www.vupen.com/english/advisories/2008/2896https://answers.launchpad.net/ubuntu/gutsy/+source/libspf2/1.2.5.dfsg-4ubuntu0.7.10.1https://bugs.launchpad.net/ubuntu/feisty/+source/libspf2/+bug/271025https://exchange.xforce.ibmcloud.com/vulnerabilities/46055https://www.exploit-db.com/exploits/6805
2008-10-23
Published