Summary:
>> either locally, in OpenSMTPD’s default configuration (that listens on
loopback interface and only accepts mail from localhost).
>> or locally and remotely, in OpenSMTPD’s “uncommented” default configuration (that listens on all interfaces and accepts external
mail).
Affected products:
Proof of concept is successfully tested against OpenBSD 6.6 (the current release) and Debian testing (Bullseye), other versions and distributions may also be exploitable.
Vulnerability:
Vulnerability resides in smtp_mailaddr(). OpenSMTPD’s smtp_mailaddr() function allows to validate sender (MAIL FROM) and recipient (RCPT TO) mail addresses.
static int smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args, const char *domain) { if (!valid_localpart(maddr->user) || !valid_domainpart(maddr->domain)) { if (maddr->domain[0] == '\0') { (void)strlcpy(maddr->domain, domain, sizeof(maddr->domain)); return (1); } return (0); } return (1); }
For more details about the vulnerability and proof of concept refer to the Qualys Security Advisory here.
Exploitation:
Below screenshot shows the files on the target(Victim’s) system before the SMTP session between attacker and victim.
![](https://threatprotect.qualys.com/wp-content/uploads/2020/01/Before.png)
The remote SMTP session executes the body of our mail, as root, in OpenSMTPD’s “uncommented” default config.
![](https://threatprotect.qualys.com/wp-content/uploads/2020/01/attacker.png)
As we can see a new file named x.0.9441 is being created on the target system which has the contents of “id” command that was executed during SMTP session.
![](https://threatprotect.qualys.com/wp-content/uploads/2020/01/After.png)
Remediation and Mitigation:
We request organizations to apply the latest patches from OpenBSD to address CVE-2020-7247. OpenBSD has addressed this issue in OpenBSD Security Advisory OpenBSD 6.5 , OpenBSD 6.6 .
Qualys customers can use QID: 50097 to detect vulnerable assets. Please continue to follow on Qualys Threat Protection for more coverage on these vulnerabilities.
References & Sources:
- https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt