smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote malicious users to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
openbsd opensmtpd 6.6 |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
fedoraproject fedora 32 |
||
canonical ubuntu linux 18.04 |
||
canonical ubuntu linux 19.10 |
Function accidentally returns OK instead of no-way
Code dive The OpenBSD project's OpenSMTPD can be potentially hijacked by a maliciously crafted incoming email. Infosec biz Qualys discovered and this week disclosed CVE-2020-7247, a root privilege-escalation and remote code execution flaw in OpenSMTPD. It can be exploited locally by a normal user to execute shell commands as root, if using the daemon's default configuration, or locally and remotely if the daemon is using its "uncommented" default configuration, in which it listens on all interfa...