ProHoster > Блог > xov xwm hauv internet > Vulnerability nyob rau hauv OpenSMTPD uas tso cai rau tej thaj chaw deb code execution nrog lub hauv paus cai

Vulnerability nyob rau hauv OpenSMTPD uas tso cai rau tej thaj chaw deb code execution nrog lub hauv paus cai

Hauv lub mail server uas tau tsim los ntawm OpenBSD project OpenSMTPD txheeb xyuas tseem ceeb heev vulnerability (CVE-2020-7247), uas tso cai rau kev ua haujlwm ntawm cov lus txib plhaub ntawm lub server nrog cov cai hauv paus. Qhov tsis muaj zog tau pom thaum lub sijhawm rov tshuaj xyuas dua los ntawm Qualys Security (kev tshuaj xyuas yav dhau los ntawm OpenSMTPD) tau ua xyoo 2015, thiab qhov tsis muaj zog tshiab tau muaj txij li lub Tsib Hlis 2018). Qhov teeb meem tshem tawm nyob rau hauv OpenSMTPD 6.6.2 tso tawm. Txhua tus neeg siv raug qhia kom nruab qhov hloov tshiab tam sim ntawd (rau OpenBSD, qhov patch tuaj yeem ntsia tau ntawm syspatch).

Muaj ob hom kev tawm tsam uas tau muab tso tawm. Hom thawj ua haujlwm nrog OpenSMTPD configuration (txais cov kev thov los ntawm localhost xwb) thiab tso cai rau kev siv hauv zos thaum tus neeg tawm tsam nkag mus rau hauv lub network interface (loopback) ntawm lub server (piv txwv li, ntawm cov hosting systems). Hom thib ob tshwm sim thaum OpenSMTPD tau teeb tsa los txais cov kev thov hauv network sab nraud (lub mail server txais cov ntawv xa los ntawm lwm tus). Cov kws tshawb fawb tau npaj ib qho prototype exploit uas ua haujlwm tau zoo nrog ob qho tib si OpenSMTPD variant suav nrog OpenBSD 6.6 thiab portable version rau lwm lub operating systems (sim hauv Debian Kev sim).

Qhov teeb meem no yog tshwm sim los ntawm qhov yuam kev hauv smtp_mailaddr() function, uas raug hu kom lees paub cov nqi hauv "MAIL FROM" thiab "RCPT TO" cov teb, uas txhais tus neeg xa/tus neeg tau txais thiab raug xa thaum lub sijhawm txuas mus rau lub server xa ntawv. Txhawm rau lees paub qhov seem ntawm qhov chaw nyob email uas los ua ntej lub cim "@", smtp_mailaddr() hu rau function
valid_localpart(), uas suav tias cov cim "!#$%&'*/?^`{|}~+-=_" siv tau (MAILADDR_ALLOWED), raws li RFC 5322 xav tau.

Hauv qhov no, cov hlua ncaj qha uas khiav tawm yog ua tiav hauv mda_expand_token() function, uas hloov tsuas yog cov cim "!#$%&'*?`{|}~" (MAILADDR_ESCAPE). Tom qab ntawd, cov hlua uas tau npaj hauv mda_expand_token() yog siv thaum hu rau tus neeg xa khoom (MDA) siv cov lus txib 'execle(«/bin/sh», «/bin/sh», «-c», mda_command,…'. Yog tias cov lus raug tso rau hauv mbox ntawm /bin/sh, cov kab "/usr/libexec/mail.local -f %%{mbox.from} %%{user.username}" raug khiav, qhov twg tus nqi ntawm "%{mbox.from}" suav nrog cov ntaub ntawv khiav tawm los ntawm "MAIL FROM" parameter.

Qhov tsis muaj zog no yog vim muaj qhov yuam kev hauv smtp_mailaddr(), uas ua rau lub luag haujlwm xa rov qab tus lej pov thawj tiav thaum muaj ib qho chaw nyob khoob hauv email, txawm tias qhov chaw nyob ua ntej "@" muaj cov cim tsis raug. Thaum npaj cov hlua, lub luag haujlwm mda_expand_token() tsuas yog zam cov cim uas tso cai rau hauv cov chaw nyob email, tsis yog txhua tus cim tshwj xeeb uas ua tau. Yog li ntawd, kom khiav koj cov lus txib, koj tsuas yog yuav tsum siv tus cim ";" thiab qhov chaw hauv qhov chaw hauv zos ntawm email, uas tsis suav nrog hauv MAILADDR_ESCAPE teeb tsa thiab tsis zam. Piv txwv li:

$ nc 127.0.0.1 25

HELO xib fwb.falken
XA NTAWV LOS NTAWM:<; pw tsaug zog 66;>
RCPT MUS RAU:
NTAUB NTAWV
.
QUIT

Tom qab qhov kev sib tham no, OpenSMTPD yuav khiav cov lus txib ntawm lub plhaub thaum xa mus rau mbox

/usr/libexec/mail.local -f; pw tsaug zog 66; hauv paus

Qhov chaw tawm tsam raug txwv los ntawm qhov tseeb tias qhov chaw nyob hauv zos tsis tuaj yeem tshaj 64 tus cim, thiab cov cim tshwj xeeb '$' thiab '|' raug hloov nrog ":" thaum lub sijhawm khiav tawm. Txhawm rau hla qhov kev txwv no, lub cev email raug xa mus rau hauv cov kwj dej tom qab /usr/libexec/mail.local raug tso tawm. Qhov no txhais tau tias los ntawm kev tswj hwm qhov chaw nyob, tsuas yog tus neeg txhais lus sh command tuaj yeem tso tawm thiab lub cev email tuaj yeem siv ua cov lus qhia. Txij li thaum cov kev pabcuam SMTP headers tau teev tseg thaum pib ntawm email, ib qho lus txib nyeem looped tau npaj siab kom hla lawv. Qhov kev siv ua haujlwm zoo li no:

$ nc 192.168.56.143 25

HELO xib fwb.falken
XA NTAWV LOS NTAWM:<;rau kuv nyob rau hauv 0 1 2 3 4 5 6 7 8 9 abcd;ua nyeem r;ua tiav;sh;tawm 0;>
RCPT MUS RAU:
NTAUB NTAWV
#0
#1
...
#d
rau kuv hauv WOPR; ua
echo -n "($i)" && id || tawg
ua tiav > /root/x."`id -u`.""$$"
.
QUIT

Tau qhov twg los: opennet.ru

Yuav txhim khu kev qha hosting rau cov chaw nrog DDoS tiv thaiv, VPS VDS servers 🔥 Yuav lub vev xaib hosting txhim khu kev qha nrog kev tiv thaiv DDoS, VPS VDS servers | ProHoster