CVE-2020-8794
published 2020-02-25CVE-2020-8794: OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this…
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
88.53%
99.8th percentile
OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | opensmtpd | < opensmtpd 6.6.4p1-1 (bookworm) | opensmtpd 6.6.4p1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensmtpd | opensmtpd | < 6.6.4 | 6.6.4 |
| opensmtpd | opensmtpd | >= 0 < 6.6.4p1-1 | 6.6.4p1-1 |
| opensmtpd | opensmtpd | >= 0 < 6.6.4p1-1 | 6.6.4p1-1 |
| opensmtpd | opensmtpd | >= 0 < 6.6.4p1-1 | 6.6.4p1-1 |
| opensmtpd | opensmtpd | >= 0 < 6.6.4p1-1 | 6.6.4p1-1 |
| opensmtpd | opensmtpd | >= 0 < 6.0.3p1-1ubuntu0.2 | 6.0.3p1-1ubuntu0.2 |
| opensmtpd | opensmtpd | >= 0 < 5.4.1p1-1ubuntu0.1~esm1 | 5.4.1p1-1ubuntu0.1~esm1 |
| opensmtpd | opensmtpd | >= 0 < 5.7.3p2-1ubuntu0.1~esm2 | 5.7.3p2-1ubuntu0.1~esm2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect SMTP server responses for injected newline characters in reply buffers; exploitation embeds newlines to modify the OpenSMTPD mail envelope and change the message type to MDA for arbitrary command execution. ↗
- →Monitor for SMTP bounce sequences where a remote server first responds with a temporary error and then follows up with a fatal error to force an OpenSMTPD server restart — a pattern indicative of server-side exploitation. ↗
- →Flag OpenSMTPD versions prior to 6.6.4 as vulnerable; versions released after May 2018 allow command execution as root, while earlier versions (from 5.7.1) allow execution as non-root users. ↗
- ·The vulnerability resides in the client-side MTA code (mta_session.c / mta_io), not the server listener. Server-side exploitation is possible only indirectly via bounce handling, which causes the server to invoke the vulnerable client code. ↗
- ·Server-side exploitation requires the attacker to avoid sending a permanent error on the first bounce, because OpenSMTPD automatically discards double bounces; a temporary error must be used first, followed by a fatal error after a server restart. ↗
- ·The patch (version 6.6.4) adds a length check requiring the final reply line to be greater than 4 characters before processing; detections targeting unpatched behaviour should account for this boundary condition. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenSMTPD vulnerabilities
vendor_ubuntu·2021-03-15·CVSS 9.8
CVE-2020-7247 [CRITICAL] OpenSMTPD vulnerabilities
Title: OpenSMTPD vulnerabilities
Summary: Several security issues were fixed in OpenSMTPD.
It was discovered that OpenSMTPD incorrectly verified the sender's or
receiver's e-mail addresses under certain conditions. An attacker could
possibly use this vulnerability to execute arbitrary commands as root.
(CVE-2020-7247)
It was discovered that OpenSMTPD did not properly handle hardlinks under
certain conditions. An unprivileged local attacker could possibly use this
issue to obtain sensitive information. This issue only affected Ubuntu
16.04 ESM. (CVE-2020-8793)
It was discovered that OpenSMTPD mishandled certain input. A remote,
unauthenticated attacker could possibly use this vulnerability to execute
arbitrary shell commands as any non-root user. This issue only affected
Ubuntu 16.04 ES
Ubuntu
OpenSMTPD vulnerabilities
vendor_ubuntu·2020-03-02·CVSS 4.7
CVE-2020-8793 [MEDIUM] OpenSMTPD vulnerabilities
Title: OpenSMTPD vulnerabilities
Summary: Several security issues were fixed in opensmtpd.
It was discovered that OpenSMTPD mishandled certain input. A remote,
unauthenticated attacker could use this vulnerability to execute arbitrary
shell commands as any non-root user. (CVE-2020-8794)
It was discovered that OpenSMTPD did not properly handle hardlinks under
certain conditions. An unprivileged local attacker could read the first
line of any file on the filesystem. (CVE-2020-8793)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2020-8794: opensmtpd - OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds ...
vendor_debian·2020·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794: opensmtpd - OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds ...
OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.
Scope: local
bookworm: resolved (fixed in 6.6.4p1-1)
bullseye: resolved (fixed in 6.6.4p1-1)
forky: resolved (fixed in 6.6.4p1-1)
sid: resolved (fixed in 6.6.4p1-1)
trixie: resolved (fixed in 6.6.4p1-1)
GHSA
GHSA-hmw3-c3g9-px9f: OpenSMTPD before 6
ghsa_unreviewed·2022-05-24
CVE-2020-8794 [HIGH] CWE-125 GHSA-hmw3-c3g9-px9f: OpenSMTPD before 6
OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.
OSV
opensmtpd vulnerabilities
osv·2021-03-15·CVSS 9.8
CVE-2020-7247 [CRITICAL] opensmtpd vulnerabilities
opensmtpd vulnerabilities
It was discovered that OpenSMTPD incorrectly verified the sender's or
receiver's e-mail addresses under certain conditions. An attacker could
possibly use this vulnerability to execute arbitrary commands as root.
(CVE-2020-7247)
It was discovered that OpenSMTPD did not properly handle hardlinks under
certain conditions. An unprivileged local attacker could possibly use this
issue to obtain sensitive information. This issue only affected Ubuntu
16.04 ESM. (CVE-2020-8793)
It was discovered that OpenSMTPD mishandled certain input. A remote,
unauthenticated attacker could possibly use this vulnerability to execute
arbitrary shell commands as any non-root user. This issue only affected
Ubuntu 16.04 ESM. (CVE-2020-8794)
OSV
OpenSMTPD vulnerabilities
osv·2020-03-02·CVSS 4.7
CVE-2020-8794 [MEDIUM] OpenSMTPD vulnerabilities
OpenSMTPD vulnerabilities
It was discovered that OpenSMTPD mishandled certain input. A remote,
unauthenticated attacker could use this vulnerability to execute arbitrary
shell commands as any non-root user. (CVE-2020-8794)
It was discovered that OpenSMTPD did not properly handle hardlinks under
certain conditions. An unprivileged local attacker could read the first
line of any file on the filesystem. (CVE-2020-8793)
OSV
CVE-2020-8794: OpenSMTPD before 6
osv·2020-02-25·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794: OpenSMTPD before 6
OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.
No detection rules found.
Exploit-DB
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)
exploitdb·2020-03-09
CVE-2020-8794 OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'OpenSMTPD OOB Read Local Privilege Escalation',
'Description' => %q{
This module exploits an out-of-bounds read of an attacker-controlled
string in OpenSMTPD's MTA implementation to execute a command as the
root or nobody user, depending on the kind of grammar OpenSMTPD uses.
},
'Author' => [
'Qualys', # Discovery and PoC
'wvu' # Module
],
'References' => [
['CVE', '2020-8794'],
['URL', 'https://seclists.org/oss-sec/2020/q1/96']
],
'DisclosureDate' => '2020-02-24',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true, # NOTE: On
Exploit-DB
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution
exploitdb·2020-02-26·CVSS 9.8
CVE-2020-8794 [CRITICAL] OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution
OpenSMTPD .
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
static enum {
CLIENT_SIDE_EXPLOIT,
SERVER_SIDE_EXPLOIT,
} exploit = CLIENT_SIDE_EXPLOIT;
static enum {
NEW_SMTPD_GRAMMAR,
OLD_SMTPD_GRAMMAR,
} grammar = NEW_SMTPD_GRAMMAR;
static struct {
const char * command;
const char * user;
const char * dispatcher;
const char * maildir;
char lines[512];
} inject = {
.command = "X=`mktemp /tmp/x.XXXXXX`&&id>>$X;exit 0",
.user = "root",
.dispatcher = "local_mail",
.maildir = NULL,
};
#define die() do { \
printf("died in %s: %u\n", __func__, __LINE__); \
exit(EXIT_FAILURE); \
} while (0)
static struct addrinfo *
common_getaddrinfo(const char * const host, const char * const port)
{
const struct addrinfo hints = {
.ai_family = AF_INET,
.
Metasploit
OpenSMTPD OOB Read Local Privilege Escalation
metasploit
OpenSMTPD OOB Read Local Privilege Escalation
OpenSMTPD OOB Read Local Privilege Escalation
This module exploits an out-of-bounds read of an attacker-controlled string in OpenSMTPD's MTA implementation to execute a command as the root or nobody user, depending on the kind of grammar OpenSMTPD uses.
Bugzilla
CVE-2020-8794 opensmtpd: An out-of-bounds read could lead to remote code execution [fedora-all]
bugzilla·2020-03-02·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794 opensmtpd: An out-of-bounds read could lead to remote code execution [fedora-all]
CVE-2020-8794 opensmtpd: An out-of-bounds read could lead to remote code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2020-8794 opensmtpd: An out-of-bounds read could lead to remote code execution [epel-all]
bugzilla·2020-03-02·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794 opensmtpd: An out-of-bounds read could lead to remote code execution [epel-all]
CVE-2020-8794 opensmtpd: An out-of-bounds read could lead to remote code execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2020-8794 opensmtpd: An out-of-bounds read could lead to remote code execution
bugzilla·2020-02-25·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794 opensmtpd: An out-of-bounds read could lead to remote code execution
CVE-2020-8794 opensmtpd: An out-of-bounds read could lead to remote code execution
An out-of-bounds read introduced in commit 80c6a60c, "when peer outputs a multi-line response ..." could lead to remote code execution either
as root, after May 2018 (commit a8e22235, "switch smtpd to new grammar"); or as any non-root user, before May 2018.
Upstream advisory:
https://www.openwall.com/lists/oss-security/2020/02/24/5
Discussion:
Created opensmtpd tracking bugs for this issue:
Affects: epel-all [bug 1809061]
Affects: fedora-all [bug 1809060]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Trendmicro
Operation Overtrap Targets Japanese Online Banking
blogs_trendmicro·2020-03-13
Operation Overtrap Targets Japanese Online Banking
Exploits & Vulnerabilities
# Operation Overtrap Targets Japanese Online Banking
Learn about the number of ways Operation Overtrap can infect or trap victims with its payload. Also, read about how to protect your personal identity data and money during tax-filing season.
By: Jon Clay
2020/03/13
Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the number of ways Operation Overtrap can infect or trap victims with its payload. Also, read about how to protect your personal identity data and money during tax-filing season.
Read on:
#### AWS Launches Bottlerocket, a Linux-based OS for Container Hosting
AWS has launched Bottlerocket, its
Trendmicro
CVE-2020-8794 Can Lead to Privilege Escalation and RCE
blogs_trendmicro·2020-03-12·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794 Can Lead to Privilege Escalation and RCE
Exploits & Vulnerabilities
# CVE-2020-8794 Can Lead to Privilege Escalation and RCE
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) was discovered in OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code.
By: Alexander Elkholy
2020/03/12
Read time: ( words)
Save to Folio
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) has been discovered in the free and open-source Unix Daemon, OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code on vulnerable systems.
### What is the vulnerability about?
Discovered by Qualys Research Labs and disclosed on February 24, 2020
Trendmicro
CVE-2020-8794 Can Lead to Privilege Escalation and RCE
blogs_trendmicro·2020-03-12·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794 Can Lead to Privilege Escalation and RCE
Exploits y vulnerabilidades
## CVE-2020-8794 Can Lead to Privilege Escalation and RCE
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) was discovered in OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code.
By: Alexander Elkholy Mar 12, 2020 Read time: ( words)
Save to Folio
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794 ) has been discovered in the free and open-source Unix Daemon, OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code on vulnerable systems.
Trendmicro
CVE-2020-8794 Can Lead to Privilege Escalation and RCE
blogs_trendmicro·2020-03-12·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794 Can Lead to Privilege Escalation and RCE
Ausnutzung von Schwachstellen
## CVE-2020-8794 Can Lead to Privilege Escalation and RCE
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) was discovered in OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code.
By: Alexander Elkholy Mar 12, 2020 Read time: ( words)
Save to Folio
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794 ) has been discovered in the free and open-source Unix Daemon, OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code on vulnerable systems.
Trendmicro
CVE-2020-8794 Can Lead to Privilege Escalation and RCE
blogs_trendmicro·2020-03-12·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794 Can Lead to Privilege Escalation and RCE
Exploits & Vulnerabilities
## CVE-2020-8794 Can Lead to Privilege Escalation and RCE
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) was discovered in OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code.
By: Alexander Elkholy Mar 12, 2020 Read time: ( words)
Save to Folio
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794 ) has been discovered in the free and open-source Unix Daemon, OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code on vulnerable systems.
Trendmicro
CVE-2020-8794 Can Lead to Privilege Escalation and RCE
blogs_trendmicro·2020-03-12·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794 Can Lead to Privilege Escalation and RCE
Exploits & Vulnerabilities
## CVE-2020-8794 Can Lead to Privilege Escalation and RCE
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) was discovered in OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code.
By: Alexander Elkholy 2020/03/12 Read time: ( words)
Save to Folio
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794 ) has been discovered in the free and open-source Unix Daemon, OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code on vulnerable systems.
Trendmicro
CVE-2020-8794 Can Lead to Privilege Escalation and RCE
blogs_trendmicro·2020-03-12·CVSS 9.8
CVE-2020-8794 [CRITICAL] CVE-2020-8794 Can Lead to Privilege Escalation and RCE
Sfruttamento vulnerabilità
## CVE-2020-8794 Can Lead to Privilege Escalation and RCE
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) was discovered in OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code.
By: Alexander Elkholy Mar 12, 2020 Read time: ( words)
Save to Folio
A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794 ) has been discovered in the free and open-source Unix Daemon, OpenSMTPD. The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code on vulnerable systems.
http://packetstormsecurity.com/files/156633/OpenSMTPD-Out-Of-Bounds-Read-Local-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2020/Feb/32http://www.openwall.com/lists/oss-security/2020/02/26/1http://www.openwall.com/lists/oss-security/2020/03/01/1http://www.openwall.com/lists/oss-security/2020/03/01/2http://www.openwall.com/lists/oss-security/2021/05/04/7https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/https://usn.ubuntu.com/4294-1/https://www.debian.org/security/2020/dsa-4634https://www.openbsd.org/security.htmlhttps://www.openwall.com/lists/oss-security/2020/02/24/5http://packetstormsecurity.com/files/156633/OpenSMTPD-Out-Of-Bounds-Read-Local-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2020/Feb/32http://www.openwall.com/lists/oss-security/2020/02/26/1http://www.openwall.com/lists/oss-security/2020/03/01/1http://www.openwall.com/lists/oss-security/2020/03/01/2http://www.openwall.com/lists/oss-security/2021/05/04/7https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/https://usn.ubuntu.com/4294-1/https://www.debian.org/security/2020/dsa-4634https://www.openbsd.org/security.htmlhttps://www.openwall.com/lists/oss-security/2020/02/24/5
2020-02-25
Published