oss-sec mailing list archives
Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Sun, 1 Mar 2020 07:47:15 +0500
On Thu, Feb 27, 2020 at 12:38 AM Qualys Security Advisory <qsa () qualys com> wrote:
Qualys Security Advisory LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) ============================================================================== Contents ============================================================================== Summary Analysis Client-side exploitation (new grammar) Server-side exploitation (new grammar) Old-grammar exploitation Acknowledgments ============================================================================== Summary ============================================================================== We discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, "when peer outputs a multi-line response ..."), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, "switch smtpd to new grammar"); or as any non-root user, before May 2018. Because this vulnerability resides in OpenSMTPD's client-side code (which delivers mail to remote SMTP servers), we must consider two different scenarios: - Client-side exploitation: This vulnerability is remotely exploitable in OpenSMTPD's (and hence OpenBSD's) default configuration. Although OpenSMTPD listens on localhost only, by default, it does accept mail from local users and delivers it to remote servers. If such a remote server is controlled by an attacker (either because it is malicious or compromised, or because of a man-in-the-middle, DNS, or BGP attack -- SMTP is not TLS-encrypted by default), then the attacker can execute arbitrary shell commands on the vulnerable OpenSMTPD installation. - Server-side exploitation: First, the attacker must connect to the OpenSMTPD server (which accepts external mail) and send a mail that creates a bounce. Next, when OpenSMTPD connects back to their mail server to deliver this bounce, the attacker can exploit OpenSMTPD's client-side vulnerability. Last, for their shell commands to be executed, the attacker must (to the best of our knowledge) crash OpenSMTPD and wait until it is restarted (either manually by an administrator, or automatically by a system update or reboot). We developed a simple exploit for this vulnerability and successfully tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the first vulnerable release), Debian 10 (stable), Debian 11 (testing), and Fedora 31. At OpenBSD's request, and to give OpenSMTPD's users a chance to patch their systems, we are withholding the exploitation details and code until Wednesday, February 26, 2020. Last-minute note: we tested our exploit against the recent changes in OpenSMTPD 6.6.3p1, and our results are: if the "mbox" method is used for local delivery (the default in OpenBSD -current), then arbitrary command execution as root is still possible; otherwise (if the "maildir" method is used, for example), arbitrary command execution as any non-root user is possible.
Just in case, I would like to complain here that my Fedora 31 systems have not received an update. There is indeed something in testing, but it is (mistakenly?) marked as a bugfix release and not as a security update: https://bodhi.fedoraproject.org/updates/?packages=opensmtpd -- Alexander E. Patrakov
Current thread:
- LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory (Feb 24)
- Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Alexander E. Patrakov (Feb 24)
- Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory (Feb 25)
- Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory (Feb 26)
- Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Alexander E. Patrakov (Feb 29)
- Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Florian Weimer (Mar 01)
- Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Alexander E. Patrakov (Feb 29)
- Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Alexander E. Patrakov (Feb 24)