10
CVSSv2

CVE-2020-7247

Published: 29/01/2020 Updated: 31/01/2020
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote malicious users to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Vulnerability Trend

Affected Products

Vendor Product Versions
OpenbsdOpensmtpd6.6
DebianDebian Linux9.0, 10.0

Vendor Advisories

OpenSMTPD could be made to run programs as root if it received specially crafted input over the network ...
Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of email addresses which could result in the execution of arbitrary commands as root In addition this update fixes a denial of service by triggering an opportunistic TLS downgrade For the oldstable distribution (stretch), these problems have been fixed in version 6 ...
Arch Linux Security Advisory ASA-202001-6 ========================================= Severity: Critical Date : 2020-01-29 CVE-ID : CVE-2020-7247 Package : opensmtpd Type : arbitrary code execution Remote : Yes Link : securityarchlinuxorg/AVG-1090 Summary ======= The package opensmtpd before version 662p1-1 is vulnerable to ...
A vulnerability was discovered in OpenSMTPd before version 662 which allows arbiterary code execution by constructing a mail FROM address that escapes the regex filter ...

Mailing Lists

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root ...
smtp_mailaddr in smtp_sessionc in OpenSMTPD 66, as used in OpenBSD 66 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell meta-characters in a MAIL FROM field This affects the "uncommented" default configuration The issue exists because of an incorrect return va ...
OpenSMTPD version 662 remote code execution exploit ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4611-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff January 29, 2020 wwwdebianorg/security/faq ...
Qualys Security Advisory LPE and RCE in OpenSMTPD (CVE-2020-7247) ============================================================================== Contents ============================================================================== Summary Analysis Exploitation Acknowledgments ================================================================= ...
Qualys Security Advisory LPE and RCE in OpenSMTPD (CVE-2020-7247) ============================================================================== Contents ============================================================================== Summary Analysis Exploitation Acknowledgments ================================================================= ...
Qualys Security Advisory LPE and RCE in OpenSMTPD (CVE-2020-7247) ============================================================================== Contents ============================================================================== Summary Analysis Exploitation Acknowledgments ================================================================= ...

Github Repositories

Proof Of Concept Exploit for CVE-2020-7247 (Remote Execution on OpenSMTPD < 6.6.2

No description, website, or topics provided.

Recent Articles

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage
The Register • Shaun Nichols in San Francisco • 30 Jan 2020

Function accidentally returns OK instead of no-way

Code dive The OpenBSD project's OpenSMTPD can be potentially hijacked by a maliciously crafted incoming email.
Infosec biz Qualys discovered and this week disclosed CVE-2020-7247, a root privilege-escalation and remote code execution flaw in OpenSMTPD. It can be exploited locally by a normal user to execute shell commands as root, if using the daemon's default configuration, or locally and remotely if the daemon is using its "uncommented" default configuration, in which it listens on all i...

Critical Remote Code Execution Bug Fixed in OpenBSD SMTP Server
BleepingComputer • Ionut Ilascu • 01 Jan 1970

A critical vulnerability in the free OpenSMTPD email server present in many Unix-based systems can be exploited to run shell commands with root privileges.
The component is a free implementation of the server-side SMTP protocol to exchange email-related traffic with compatible systems.
It is part of the OpenBSD project and has a portable version that is compatible with other operating systems: FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS).
The s3curity bu...