OpenBSD OpenSMTPD Remote Command Execution Vulnerability (CVE-2020-7247)

Summary:

Recently there was a discovery of vulnerabaility tracked as (CVE-2020-7247) in OpenSMTPD, OpenBSD’s mail server. This vulnerability was exploitable since May 2018 (commit a8e222352f, “switch smtpd to new grammar”) that allows an attacker to execute arbitrary shell commands, as root:

>>  either locally, in OpenSMTPD’s default configuration (that listens on
loopback interface and only accepts mail from localhost).

 >>   or locally and remotely, in OpenSMTPD’s “uncommented” default configuration (that listens on all interfaces and accepts external
mail).

Affected products:

Proof of concept is successfully tested against OpenBSD 6.6 (the current release) and Debian testing (Bullseye), other versions and distributions may also be exploitable.

Vulnerability:

Vulnerability resides in smtp_mailaddr(). OpenSMTPD’s smtp_mailaddr() function allows to validate sender (MAIL FROM) and recipient (RCPT TO) mail addresses.

 static int
 smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
 const char *domain)
 {
 if (!valid_localpart(maddr->user) ||
             !valid_domainpart(maddr->domain)) {

                             if (maddr->domain[0] == '\0') {
                                      (void)strlcpy(maddr->domain, domain,
                                        sizeof(maddr->domain));
                                return (1);
                             }
                            return (0);
                   }
                 return (1);
 }

For more details about the vulnerability and proof of concept refer to the Qualys Security Advisory here.

Exploitation:

Below screenshot shows the files on the target(Victim’s) system before the SMTP session between attacker and victim.

Files on target before SMTP session

The remote SMTP session executes the body of our mail, as root, in OpenSMTPD’s “uncommented” default config.

SMTP session between attacker and victim

As we can see a new file named x.0.9441 is being created on the target system which has the contents of  “id” command that was executed during SMTP session.

Files on target after SMTP session

Remediation and Mitigation:

We request organizations to apply the latest patches from OpenBSD to address CVE-2020-7247. OpenBSD has addressed this issue in OpenBSD Security Advisory OpenBSD 6.5 , OpenBSD 6.6 .

Qualys customers can use QID: 50097 to detect vulnerable assets. Please continue to follow on Qualys Threat Protection for more coverage on these vulnerabilities.

References & Sources:

  • https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt

Leave a Reply

Your email address will not be published. Required fields are marked *