Qualys Company another remote critical vulnerability (CVE-2020-8794) in the mail server developed by the OpenBSD project. As identified at the end of January , a new problem makes it possible to remotely execute arbitrary shell commands on a server with root user rights. Vulnerability in issue .
The problem is caused by a bug in the code that delivers mail to the remote mail server (not the code that handles incoming connections). The attack is possible both on the client side and on the server side. On the client side, the attack is possible in the default configuration of OpenSMTPD, in which OpenSMTPD only accepts requests on the internal network interface (localhost) and sends mail messages to external servers. To exploit the vulnerability, it is enough that during the process of delivering a letter, OpenSMTPD establishes a session with a mail server controlled by the attacker, or that the attacker can break into the client connection (MITM or redirection during DNS or BGP attacks).
For a server-side attack, OpenSMTPD must be configured to accept external network requests from other mail servers or serve third-party services that allow you to send a request to an arbitrary email (for example, address confirmation forms on sites). For example, an attacker can connect to the OpenSMTPD server and send an invalid email (to a non-existent user), which will result in a response with an error code (bounce) being sent to the attacker's server. An attacker could exploit the vulnerability when OpenSMTPD connects to deliver a notification to the attacker's server. The shell commands injected during the attack are placed in a file that is executed as root when OpenSMTPD is restarted, so the attacker must wait until OpenSMTPD is restarted or crash OpenSMTPD to complete the attack.
The problem is in the mta_io() function in the code for parsing the multi-line response returned by the remote server after a connection has been established (for example, "250-ENHANCEDSTATUSCODES" and "250 HELP"). OpenSMTPD expects the first line to include a three-digit number and text separated by a "-", and the second line to include a three-digit number and text separated by a space. If the 0-digit number is not followed by a space and text on the second line, the pointer used to define the text is set to the byte following the '\XNUMX' character and an attempt is made to copy the data after the end of the line into the buffer.
At the request of the OpenBSD project, the release of exploit details has been delayed until February 26 to allow users to update their systems. The issue has been present in the codebase since December 2015, but exploitation before the code is executed as root has been possible since May 2018. The researchers have prepared a working prototype of the exploit, which has been successfully tested in OpenSMTPD builds for OpenBSD 6.6, OpenBSD 5.9, Debian 10, Debian 11 (testing) and Fedora 31.
Also in OpenSMTPD another vulnerability (CVE-2020-8793) that allows a local user to read the first line of any file on the system. For example, you can read the first line of /etc/master.passwd, which contains the hash of the root user's password. The vulnerability also allows reading the entire contents of a file owned by another user if this file is located in the same file system as the /var/spool/smtpd/ directory. The problem is not exploitable on many Linux distributions that have /proc/sys/fs/protected_hardlinks set to 1.
The problem is the result of incomplete elimination , voiced during the audit conducted by Qualys in 2015. An attacker can cause his code to execute with the rights of the "_smtpq" group by setting the variable "PATH=." and placing a script called makemap in the current directory (the smtpctl utility runs makemap without an explicit path). Having gained access to the "_smtpq" group, the attacker can then cause a race condition (create a large file in the offline directory and send a SIGSTOP signal) and, before processing is complete, replace the file in the offline directory with a hard symbolic link pointing to the target file whose contents need to be read .
It is noteworthy that in Fedora 31, the vulnerability allows you to immediately get the privileges of the root group, since the smtpctl process is equipped with the setgid root flag, instead of setgid smtpq. By gaining access to the root group, you can overwrite the contents of /var/lib/sss/mc/passwd and gain full root access to the system.
Source: opennet.ru