Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)

["Alexander E. Patrakov" <patrakov () gmail com>]

On Thu, Feb 27, 2020 at 12:38 AM Qualys Security Advisory
<qsa () qualys com> wrote:
> Qualys Security Advisory
>
> LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)
>
>
> ==============================================================================
> Contents
> ==============================================================================
>
> Summary
> Analysis
> Client-side exploitation (new grammar)
> Server-side exploitation (new grammar)
> Old-grammar exploitation
> Acknowledgments
>
>
> ==============================================================================
> Summary
> ==============================================================================
>
> We discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This
> vulnerability, an out-of-bounds read introduced in December 2015 (commit
> 80c6a60c, "when peer outputs a multi-line response ..."), is exploitable
> remotely and leads to the execution of arbitrary shell commands: either
> as root, after May 2018 (commit a8e22235, "switch smtpd to new
> grammar"); or as any non-root user, before May 2018.
>
> Because this vulnerability resides in OpenSMTPD's client-side code
> (which delivers mail to remote SMTP servers), we must consider two
> different scenarios:
>
> - Client-side exploitation: This vulnerability is remotely exploitable
>   in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
>   OpenSMTPD listens on localhost only, by default, it does accept mail
>   from local users and delivers it to remote servers. If such a remote
>   server is controlled by an attacker (either because it is malicious or
>   compromised, or because of a man-in-the-middle, DNS, or BGP attack --
>   SMTP is not TLS-encrypted by default), then the attacker can execute
>   arbitrary shell commands on the vulnerable OpenSMTPD installation.
>
> - Server-side exploitation: First, the attacker must connect to the
>   OpenSMTPD server (which accepts external mail) and send a mail that
>   creates a bounce. Next, when OpenSMTPD connects back to their mail
>   server to deliver this bounce, the attacker can exploit OpenSMTPD's
>   client-side vulnerability. Last, for their shell commands to be
>   executed, the attacker must (to the best of our knowledge) crash
>   OpenSMTPD and wait until it is restarted (either manually by an
>   administrator, or automatically by a system update or reboot).
>
> We developed a simple exploit for this vulnerability and successfully
> tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the
> first vulnerable release), Debian 10 (stable), Debian 11 (testing), and
> Fedora 31. At OpenBSD's request, and to give OpenSMTPD's users a chance
> to patch their systems, we are withholding the exploitation details and
> code until Wednesday, February 26, 2020.
>
> Last-minute note: we tested our exploit against the recent changes in
> OpenSMTPD 6.6.3p1, and our results are: if the "mbox" method is used for
> local delivery (the default in OpenBSD -current), then arbitrary command
> execution as root is still possible; otherwise (if the "maildir" method
> is used, for example), arbitrary command execution as any non-root user
> is possible.

Just in case, I would like to complain here that my Fedora 31 systems
have not received an update.

There is indeed something in testing, but it is (mistakenly?) marked
as a bugfix release and not as a security update:

https://bodhi.fedoraproject.org/updates/?packages=opensmtpd

-- 
Alexander E. Patrakov