Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to carry out OpenSMTPD remote command execution vulnerability notification, the content of the article is of high quality, so Xiaobian shares it for everyone to make a reference, I hope you have a certain understanding of relevant knowledge after reading this article.

0x00 Vulnerability Background

On January 29, 2020, OpenSMTPD officially submitted a fix for CVE-2020-7247 vulnerability in the github code repository. CVE-2020-7247 is a result of OpenSMTPD's lax sender/recipient checks in implementing RFC 5321.

OpenSMTPD is an smtp service for unix operating systems (BSD, MacOS, GNU/Linux) that follows RFC 5321 SMTP protocol.

OpenSMTPD was originally developed for the OpenBSD operating system, but due to its open source nature, it was distributed to other unix platforms.

OpenSMTPD is part of the OpenBSD project. Under the ISC license, the software is free for all to use and reuse.

360CERT judged that the vulnerability level was medium risk and the impact area was limited.

However, due to the default configuration configuration, it will be attacked. Please also ask the service management/operation and maintenance personnel to do a good job in self-inspection and self-inspection in time.

0x01 Vulnerability Details

Qualys is the team that submitted the vulnerability. The analysis problem occurs in the smtp_mailaddr function

smtp_mailaddr function is responsible for verifying MAIL FROM and RCPT TO mail addresses usr.sbin/smtpd/smtp_session.c

static int

smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,

const char *domain)

{

...

if (! valid_localpart(maddr->user) ||

! valid_domainpart(maddr->domain)) {

/* accept empty return-path in MAIL FROM, required for bounces */

if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')

return (1);

/* no user-part, reject */

if (maddr->user[0] == '\0')

return (0);

/* no domain, local user */

if (maddr->domain[0] == '\0') {

(void)strlcpy(maddr->domain, domain,

sizeof(maddr->domain));

return (1);

}

return (0);

}

return (1);

}

You can see the valid_localpart check. Used to verify local distribution (e.g. send to local user guest).

If maddr->user is invalid (! valid_localpart is true), and maddr->domain[0]

Empty. smtp_mailaddr adds the default domain and returns 1.

This causes the program to proceed incorrectly and starts the local delivery process.

Local delivery depends on mda_unpriv

Function to splice and execute local commands.

// command composition

asprintf(&dispatcher->u.local.command,

"/usr/libexec/mail.local -f %%{mbox.from} %%{user.username}");

// command execution

execle("/bin/sh", "/bin/sh", "-c", mda_command, (char *)NULL, mda_environ);

Because sh is used for command execution, if sh is introduced

This special symbol allows extra execution of commands.

The problematic code above was introduced in the code submitted in May 2018. Many distributions may still be using older versions of the library and are not affected by this issue.

For example, only Debian's develop branch is affected by this issue, while Debian's stable branch is not. Because it uses older versions.

0x02 Repair suggestions

Timely upgrade to OpenSMTPD

Version 6.6.2p1.

Download address below

OpenSMTPD 6.6.2p1 portable release

https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.2p1/opensmtpd-6.6.2p1.tar.gz

About how to carry out OpenSMTPD remote command execution vulnerability notice to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.