Qualys Company
The problem is caused by a bug in the code that delivers mail to the remote mail server (not the code that handles incoming connections). The attack is possible both on the client side and on the server side. On the client side, the attack is possible in the default configuration of OpenSMTPD, in which OpenSMTPD only accepts requests on the internal network interface (localhost) and sends mail messages to external servers. To exploit the vulnerability, it is enough that during the process of delivering a letter, OpenSMTPD establishes a session with a mail server controlled by the attacker, or that the attacker can break into the client connection (MITM or redirection during DNS or BGP attacks).
For a server-side attack, OpenSMTPD must be configured to accept external network requests from other mail servers or serve third-party services that allow you to send a request to an arbitrary email (for example, address confirmation forms on sites). For example, an attacker can connect to the OpenSMTPD server and send an invalid email (to a non-existent user), which will result in a response with an error code (bounce) being sent to the attacker's server. An attacker could exploit the vulnerability when OpenSMTPD connects to deliver a notification to the attacker's server. The shell commands injected during the attack are placed in a file that is executed as root when OpenSMTPD is restarted, so the attacker must wait until OpenSMTPD is restarted or crash OpenSMTPD to complete the attack.
The problem is in the mta_io() function in the code for parsing the multi-line response returned by the remote server after a connection has been established (for example, "250-ENHANCEDSTATUSCODES" and "250 HELP"). OpenSMTPD expects the first line to include a three-digit number and text separated by a "-", and the second line to include a three-digit number and text separated by a space. If the 0-digit number is not followed by a space and text on the second line, the pointer used to define the text is set to the byte following the '\XNUMX' character and an attempt is made to copy the data after the end of the line into the buffer.
At the request of the OpenBSD project, the release of exploit details has been delayed until February 26 to allow users to update their systems. The issue has been present in the codebase since December 2015, but exploitation before the code is executed as root has been possible since May 2018. The researchers have prepared a working prototype of the exploit, which has been successfully tested in OpenSMTPD builds for OpenBSD 6.6, OpenBSD 5.9, Debian 10, Debian 11 (testing) and Fedora 31.
Also in OpenSMTPD
The problem is the result of incomplete elimination
It is noteworthy that in Fedora 31, the vulnerability allows you to immediately get the privileges of the root group, since the smtpctl process is equipped with the setgid root flag, instead of setgid smtpq. By gaining access to the root group, you can overwrite the contents of /var/lib/sss/mc/passwd and gain full root access to the system.
Source: opennet.ru