Unknown
CVE-2020-8794
CVE-2020-8794
Description
OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.
Add Assessment
Technical Analysis
If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack —
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.
This seems to be the primary limitation for exploitation. You can’t just give OpenSMTPD an IP address. You need to control an MX host or relay, so a little more setup is required. Contrast this with CVE-2020-7247, which is directly exploitable against the server.
CVSS V3 Severity and Metrics
General Information
Vendors
- canonical,
- debian,
- fedoraproject,
- opensmtpd
Products
- debian linux 10.0,
- debian linux 9.0,
- fedora 31,
- fedora 32,
- opensmtpd,
- ubuntu linux 18.04,
- ubuntu linux 19.10
Metasploit Modules
References
Advisory
I was wrong. I was Today Years Old when I learned an IPv4 address literal can be specified if surrounded by square brackets. It’s not just for IPv6. That waives the MX requirement trivially. See https://serverfault.com/questions/905886/is-it-possible-to-send-and-receive-an-email-from-an-ip-address-instead-from-a-do.
Also, there are indeed additional lines you can specify to alter the daemon’s behavior and turn the OOB read into command execution. I suspected there may be special “headers” to control the daemon but made no effort to confirm their existence. Further reading of the source would have discovered them. Incredible research by Qualys: https://seclists.org/oss-sec/2020/q1/96.
Exploit: https://github.com/rapid7/metasploit-framework/pull/13003.