On 2020-01-29, Oriol Demaria <sysad...@the-grid.xyz> wrote: > I understand that root might be required to open privileged ports, but then > how commands are run as root when you exploit opensmtpd vulnerability?
For a clue: ls -l /var/mail How are those messages delivered to those files with those permissions? > In case someone hasn't seen patch right now your system. Affected versions: 6.4 to 6.6, -current between May 2018 and today. Syspatches are available for 6.5 and 6.6. More details about the bug as discovered: https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt In a default OpenBSD installation this gives a local-only root escalation. This can still be quite bad e.g. if you have a webserver which has access to send mail via smtpd on localhost and you allow less-trusted users to upload PHP scripts etc, or if you have a multi-user system with untrusted users. (If you have a single user system running untrustworthy software, "don't do that"! - it could be used as an escalation there too, but unless you're rather careful there are probably several other unrelated possible escalations - if you're sat there thinking that this case is is important but you also have sudo/doas configured with nopasswd access then it is time to reevaluate priorities:-) I hesitate to mention it in case it puts anyone off from updating (DON'T DO THAT, YOU SHOULD UPDATE!) but it is easy to configure to avoid the root-escalation aspect of this bug - and many readers will already be doing this, especially if they maintain multiple systems: forward root's mail (via /root/.forward or aliases) off the machine. I haven't tested but presume the same bug also allows running as another (non-root) user so it's not a complete workaround, but is something that can be done quickly while planning a more complicated upgrade.