Vulnerabilities > CVE-2020-7247 - Improper Handling of Exceptional Conditions vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
openbsd
debian
fedoraproject
canonical
CWE-755
critical
nessus
exploit available
metasploit

Summary

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Exploit-Db

Metasploit

descriptionThis module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute a command as the root user.
idMSF:EXPLOIT/UNIX/SMTP/OPENSMTPD_MAIL_FROM_RCE
last seen2020-06-12
modified2020-04-22
published2020-01-29
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb
titleOpenSMTPD MAIL FROM Remote Code Execution

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4268-1.NASL
    descriptionIt was discovered that OpenSMTPD incorrectly verified the sender
    last seen2020-06-01
    modified2020-06-02
    plugin id133522
    published2020-02-06
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133522
    titleUbuntu 18.04 LTS / 19.10 : OpenSMTPD vulnerability (USN-4268-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4268-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133522);
      script_version("1.3");
      script_cvs_date("Date: 2020/02/12");
    
      script_cve_id("CVE-2020-7247");
      script_xref(name:"USN", value:"4268-1");
    
      script_name(english:"Ubuntu 18.04 LTS / 19.10 : OpenSMTPD vulnerability (USN-4268-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that OpenSMTPD incorrectly verified the sender's or
    receiver's e-mail addresses under certain conditions. An attacker
    could use this vulnerability to execute arbitrary commands as root.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4268-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected opensmtpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'OpenSMTPD MAIL FROM Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:opensmtpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(18\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.04 / 19.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"18.04", pkgname:"opensmtpd", pkgver:"6.0.3p1-1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"opensmtpd", pkgver:"6.0.3p1-6ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "opensmtpd");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_08F5C27D432611EAAF8B00155D0A0200.NASL
    descriptionOpenSMTPD developers report : An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user
    last seen2020-06-01
    modified2020-06-02
    plugin id133327
    published2020-01-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133327
    titleFreeBSD : OpenSMTPd -- critical LPE / RCE vulnerability (08f5c27d-4326-11ea-af8b-00155d0a0200)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2020 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133327);
      script_version("1.5");
      script_cvs_date("Date: 2020/02/12");
    
      script_cve_id("CVE-2020-7247");
    
      script_name(english:"FreeBSD : OpenSMTPd -- critical LPE / RCE vulnerability (08f5c27d-4326-11ea-af8b-00155d0a0200)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "OpenSMTPD developers report :
    
    An incorrect check allows an attacker to trick mbox delivery into
    executing arbitrary commands as root and lmtp delivery into executing
    arbitrary commands as an unprivileged user"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.openwall.com/lists/oss-security/2020/01/28/3"
      );
      # https://vuxml.freebsd.org/freebsd/08f5c27d-4326-11ea-af8b-00155d0a0200.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a356904a"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-7247");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'OpenSMTPD MAIL FROM Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:opensmtpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"opensmtpd>=6.4.0,1<6.6.2,1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4611.NASL
    descriptionQualys discovered that the OpenSMTPD SMTP server performed insufficient validation of email addresses which could result in the execution of arbitrary commands as root. In addition this update fixes a denial of service by triggering an opportunistic TLS downgrade.
    last seen2020-06-01
    modified2020-06-02
    plugin id133326
    published2020-01-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133326
    titleDebian DSA-4611-1 : opensmtpd - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4611. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133326);
      script_version("1.5");
      script_cvs_date("Date: 2020/02/13");
    
      script_cve_id("CVE-2020-7247");
      script_xref(name:"DSA", value:"4611");
    
      script_name(english:"Debian DSA-4611-1 : opensmtpd - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Qualys discovered that the OpenSMTPD SMTP server performed
    insufficient validation of email addresses which could result in the
    execution of arbitrary commands as root. In addition this update fixes
    a denial of service by triggering an opportunistic TLS downgrade."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950121"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/opensmtpd"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2020/dsa-4611"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the opensmtpd packages.
    
    For the oldstable distribution (stretch), these problems have been
    fixed in version 6.0.2p1-2+deb9u2.
    
    For the stable distribution (buster), these problems have been fixed
    in version 6.0.3p1-5+deb10u3. This update also includes non-security
    bugfixes which were already lined up for the Buster 10.3 point
    release."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-7247");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'OpenSMTPD MAIL FROM Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:opensmtpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"10.0", prefix:"opensmtpd", reference:"6.0.3p1-5+deb10u3")) flag++;
    if (deb_check(release:"9.0", prefix:"opensmtpd", reference:"6.0.2p1-2+deb9u2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySMTP problems
    NASL idOPENSMTPD_RCE_CVE-2020-7247.NASL
    descriptionA remote code execution vulnerability exists in OpenSMTPD due to unsanitized email inputs. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges.
    last seen2020-03-18
    modified2020-02-14
    plugin id133717
    published2020-02-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133717
    titleOpenSMTPD Critical LPE / RCE Vulnerability Remote Check
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(133717);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/14");
    
      script_cve_id("CVE-2020-7247");
    
      script_name(english:"OpenSMTPD Critical LPE / RCE Vulnerability Remote Check");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote mail server is affected by a LPE / RCE Vulnerability.");
      script_set_attribute(attribute:"description", value:
    "A remote code execution vulnerability exists in OpenSMTPD 
     due to unsanitized email inputs. An unauthenticated, 
     remote attacker can exploit this to bypass authentication 
     and execute arbitrary commands with root privileges.");
      script_set_attribute(attribute:"see_also", value:"https://www.openwall.com/lists/oss-security/2020/01/28/3");
      script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2020-7247");
      script_set_attribute(attribute:"see_also", value:"https://www.openbsd.org/errata66.html");
      script_set_attribute(attribute:"solution", value:
    "Update the affected opensmtpd package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-7247");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'OpenSMTPD MAIL FROM Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/14");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:opensmtpd");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"SMTP problems");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("find_service1.nasl", "smtpserver_detect.nasl");
      script_require_ports("Services/smtp", 25);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("smtp_func.inc");
    
    port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE);
    
    banner = get_kb_item_or_exit("smtp/banner/" + port);
    if ("ESMTP OpenSMTPD" >!< banner) audit(AUDIT_NOT_LISTEN, "OpenSMTPD", port);
    
    soc = open_sock_tcp(port);
    if (!soc) audit(AUDIT_SOCK_FAIL, port);
    
    timeout = get_kb_item("smtp/"+port+"/greetpause");
    if (isnull(timeout)) timeout = 30;
    socket_set_timeout(socket:soc, timeout:timeout);
    
    hostname = get_kb_item('smtp/'+ port + '/helo');
    if (!hostname) hostname = 'nessus';
    
    banner = smtp_recv_line(socket:soc, code:"220");
    
    if ("OpenSMTPD" >!< banner)
    {
      close(soc);
      audit(AUDIT_NOT_LISTEN, "OpenSMTPD", port);
    }
    
    send(socket:soc, data:'HELO nessus\r\n');
    var res = smtp_recv_line(socket:soc, code:"250");
    
    if (empty_or_null(res) || 'pleased to meet you' >!< res)
    {
      close(soc);
      exit(1, "The SMTP server on port " + port + " didn't respond to 'HELO'.");
    }
    
    send(socket:soc, data:'MAIL FROM:<;echo "This OpenSMTPD is Vulnerable to Command Insertion";>\r\n');
    res = smtp_recv_line(socket:soc, code:"250");
    
    if (empty_or_null(res) || 'error' >< res || 'Error' >< res || 'syntax' >< res )
    {
      close(soc);
      exit(1, "The OpenSMTP server on port " + port + " did not accept email address, therefore, it is not vulnerable");
    }
    
    close(soc);
    report =
      '\nNessus was able to confirm the vulnerability by sending a specially crafted MAIL FROM command to the remote smtp server.\n';
    security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
    

Packetstorm

Saint

descriptionOpenSMTPD MAIL FROM command injection
idmail_smtp_opensmtpd
titleopensmtpd_mail_from
typeremote

The Hacker News

idTHN:FE11DF5FD21913ABB0A26444842D05EA
last seen2020-01-30
modified2020-01-30
published2020-01-30
reporterThe Hacker News
sourcehttps://thehackernews.com/2020/01/openbsd-opensmtpd-hacking.html
titleCritical OpenSMTPD Bug Opens Linux and OpenBSD Mail Servers to Hackers

References