OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.
The location of the vulnerability is in mta_session.c, specifically, in the mta_io function that is responsible for parsing multiline replies from an SMTP server. The out-of-bounds error occurs when the last line of the reply does not follow the standard format of three-digit code/space/text (e.g., instead of “250 DATA”, we pass “250”).
When this occurs, the pointer the program uses to read the string ends up pointing to a location that is found after the ‘\0’ null terminator. As a result, the program incorrectly reads it and appends the following lines to the buffer as well.
If the response message is an error, the contents (including the additional lines) are saved internally to an envelope that describes the mail behavior. Since newline characters can be included in the additional lines, an attacker can modify this internal file and thus modify the behavior of OpenSMTPD.
OpenSMTPD before 6.6.4
Update to latest version.