// For flags

CVE-2020-7247

OpenSMTPD Remote Code Execution Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

13
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

La función smtp_mailaddr en el archivo smtp_session.c en OpenSMTPD versión 6.6, como es usado en OpenBSD versión 6.6 y otros productos, permite a atacantes remotos ejecutar comandos arbitrarios como root por medio de una sesión SMTP diseñada, como es demostrado por metacaracteres de shell en un campo MAIL FROM. Esto afecta la configuración predeterminada "uncommented". El problema se presenta debido a un valor de retorno incorrecto tras un fallo en la comprobación de entrada.

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell meta-characters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-20 CVE Reserved
  • 2020-01-28 First Exploit
  • 2020-01-29 CVE Published
  • 2022-03-25 Exploited in Wild
  • 2022-04-15 KEV Due Date
  • 2024-07-17 EPSS Updated
  • 2024-08-04 CVE Updated
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-755: Improper Handling of Exceptional Conditions
CAPEC
References (24)
URL Tag Source
http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html Third Party Advisory
http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html Broken Link
http://seclists.org/fulldisclosure/2020/Jan/49 Mailing List
https://seclists.org/bugtraq/2020/Jan/51 Mailing List
https://www.kb.cert.org/vuls/id/390745 Third Party Advisory
https://seclists.org/oss-sec/2020/q1/40
URL Date SRC
https://www.exploit-db.com/exploits/47984 2020-01-30
https://www.exploit-db.com/exploits/48038 2020-02-10
https://www.exploit-db.com/exploits/48051 2020-02-11
https://github.com/QTranspose/CVE-2020-7247-exploit 2021-02-17
https://github.com/bytescrappers/CVE-2020-7247 2021-02-01
https://github.com/r0lh/CVE-2020-7247 2020-02-18
https://github.com/SimonSchoeni/CVE-2020-7247-POC 2022-01-20
https://github.com/f4T1H21/CVE-2020-7247 2021-07-10
http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html 2024-08-04
http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html 2024-08-04
http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html 2024-08-04
http://www.openwall.com/lists/oss-security/2020/01/28/3 2024-08-04
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb 2020-01-28
URL Date SRC
https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45 2023-11-07
https://www.openbsd.org/security.html 2023-11-07
URL Date SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E 2023-11-07
https://usn.ubuntu.com/4268-1 2023-11-07
https://www.debian.org/security/2020/dsa-4611 2023-11-07
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openbsd
Search vendor "Openbsd"
 Opensmtpd
Search vendor "Openbsd" for product "Opensmtpd"
 6.6
Search vendor "Openbsd" for product "Opensmtpd" and version "6.6"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 32
Search vendor "Fedoraproject" for product "Fedora" and version "32"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 19.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10"
-
Affected