CVE-2020-7247

CVSS 9.8 CRITICALEPSS 99.0%● KEVCWE-755

In short

OpenSMTPD 6.6 allows remote attackers to execute arbitrary commands as root through a crafted SMTP session with shell metacharacters in the MAIL FROM field. This is a critical vulnerability that affects the default configuration and can lead to complete system compromise.

Technical detail

A failure in input validation in smtp_mailaddr function of smtp_session.c causes an incorrect return value, allowing unauthenticated remote attackers to inject shell metacharacters via the MAIL FROM command. The vulnerability enables arbitrary command execution with root privileges on affected OpenBSD 6.6 systems running the default OpenSMTPD 6.6 configuration.

Summary generated and translated by AI from the official description.

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 17

githubgithub.com/FiroSolutions/cve-2020-7247-exploit★ 25 githubgithub.com/QTranspose/CVE-2020-7247-exploit★ 11 githubgithub.com/r0lh/CVE-2020-7247★ 5 githubgithub.com/superzerosec/cve-2020-7247★ 4 githubgithub.com/presentdaypresenttime/shai_hulud★ 2 githubgithub.com/f4T1H21/CVE-2020-7247★ 2 githubgithub.com/SimonSchoeni/CVE-2020-7247-POC★ 2 githubgithub.com/minhluannguyen/CVE-2020-7247-reproducer★ 1 githubgithub.com/bytescrappers/CVE-2020-7247★ 0 exploitdbwww.exploit-db.com/exploits/48051unverified cve_referencepacketstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.htmlunverified cve_referencepacketstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.htmlunverified cve_referencepacketstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.htmlunverified cve_referencepacketstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/48038unverified exploitdbwww.exploit-db.com/exploits/47984unverified cve_referencepacketstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.htmlunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2020/Jan/49 https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/https://seclists.org/bugtraq/2020/Jan/51 https://usn.ubuntu.com/4268-1/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-7247 https://www.debian.org/security/2020/dsa-4611