OpenSMTPD: ouch! (remote root exploit)

raindog308

Shocking, considering it's the OpenBSD devs:

https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt

Interesting read, as techniques from the Morris Worm (1988!) were used to enhance the attack.

Terenas

Tried this on a server of mine running version: OpenSMTPD 6.6.1p1
Couldnt reproduce with based on the cve details. so maybe not all configurations are equally affected?

Update is already in the ports tree https://www.freshports.org/mail/opensmtpd/ for freebsd

TimboJones

Damn you, Zack Morris!

psb777

Terenas said: Couldnt reproduce with based on the cve details. so maybe not all configurations are equally affected?

It only affects mbox. If you deliver to Maildir, it's not affected.

jsg

To accept

MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>
250 2.0.0 Ok

as a valid sender is obviously a gross mistake.

What do we learn?

• RfCs are to be taken as a framing proposition that (not at all rarely) needs some tightening before implementation.
• Saving some typing and/or letters, e.g. by presuming $local_domain as default, may have been a smart thing to do decades ago but certainly isn't today.
• The "natural name" rule (with < >) was a stupid idea in the first place and in particular the the syntax was braindead.

In the end it's the (not at all) good old "convenience vs. security" discourse which usually is won by the convenience faction and later has them bleeding for it.

raindog308

jsg said: What do we learn?

Don't pass crap to the shell.

Good writeup: https://www.theregister.co.uk/2020/01/30/openbsd_mail_bug/

Yes, they do things to cleanse before passing, but passing anything to the shell is just inherently dangerous in this context. While ultimately it's a bug that caused this hole (not cleaning properly), this wouldn't have happened if the shell wasn't involved.

jsg

@raindog308 said:

jsg said: What do we learn?

Don't pass crap to the shell.

Yes and no. Yes, one should evidently not post crap to the shell. But no because the first question here is "why use/exec the shell in the first place?". I guess the answer is that back then in the stone age someone thought it's the way to go.
There's just (at least) 2 problems with that: (a) back then security wasn't a major concern and (b) unlike back then the OpenBSD did have security as the priority - and it was, pardon me, dead careless (to avoid saying "stupid") to simply act as if (a) still were the guide line.

And btw, the situation "a and b [and c ...] must be correct" is a rather common constellation in developing secure software and it frankly taints the so far excellent reputation of the OpenBSD devs gravely to not properly cope with that even when half sleeping.
In other words: That error was a beginners error - and that's certainly not what is expected from OpenBSD. The guy who created that piece of code, as well as the 2nd pair of eyes (there was a 2nd pair of eyes, right?) should be seen out of the OpenBSD project.

Good writeup: https://www.theregister.co.uk/2020/01/30/openbsd_mail_bug/

Not better than the original article from qualys you quoted in your OP. Actually worse.

raindog308

jsg said: In other words: That error was a beginners error

Yes, exactly.

Ganonk

thanks for sharing

angstrom

Long live Postfix