Security News > 2020 > January > Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage

The delivery agent is invoked by OpenSMTPD executing a shell command, which includes the sender's address as a command-line parameter.

Thus, whatever sender address is supplied by an email client, it can't smuggle in extra commands.

OpenSMTPD's sender address validation code, smtp mailaddr(), accidentally jumps the gun and approves dangerous sender addresses that can inject arbitrary commands into delivery agent invocations.

If the sender's address has an invalid local part, and an empty domain part, smtp mailaddr() tries to helpfully add a default domain to the address, and then just OKs the string for use on the command line, ignoring the fact the local part is invalid.

The agent invocation command passed to the shell by OpenSMTPD will look something like /usr/libexec/mail.

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/30/openbsd_mail_bug/