[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : The Bat! directory traversal

Title: The Bat! directory traversal
Released by: Security.NNOV
Date: 4th January 2001
Printable version: Click here
SECURITY.NNOV advisory - The Bat! directory traversal

Topic:                 The Bat! attachments directory traversal

Author:                3APA3A <3APA3A@security.nnov.ru>

Affected Software:     The Bat! Version <= 1.48f (latest available)

Vendor:                RitLabs

Risk:                  Average

Impact:                It's possible to add any file in any directory

                       on the disk with file archive.

Type:                  Client software vulnerability

Remotely exploitable:  Yes

Released:              21 December 2000

Vendor contacted:      21 December 2000

Public release:        04 January  2001

Vendor URL:            http://www.ritlabs.com

Software URL:          http://www.thebat.net

SECURITY.NNOV URL:     http://www.security.nnov.ru (in Russian)

Credits:               Ann Lilith  (wish her good

                       luck, she will need it :)


The  Bat!  is  extremely  convenient  commercially  available  MUA for

Windows  (will be best one then problem will be fixed, I believe) with

lot  of  features by Ritlabs. The Bat! has a feature to store attached

files  independently from message in directory specified by user. This

feature is disabled by default, but commonly used.


The  Bat!  doesn't  allow  filename  of  attached  file to contain '\'

symbol,  if name is specified as clear text. The problem is, that this

check   isn't   performed  then  filename  specified  as  RFC's  2047



It's possible to add any files in any directory on the disk where user

stores  his  attachments.  For  example,  attacker  can  decide to put

backdoor executable in Windows startup folder. Usually it's impossible

to  overwrite  existing  files,  because  The  Bat! will add number to

filename  if  file  already  exists.  The  only case then files can be

overwritten  is  then  "extract  files  to"  is  configured in message

filtering rules and "overwrite file" is selected.


Vendor  (Rit  Labs)  was  contacted on December, 21. Last reply was on

December, 22. Vendor claims the patch is ready, but this patch was not

provided   for  testing  and  version  distributed  through  FTP  site

http://ftp.ritlabs.com/pub/the_bat/the_bat.exe  IS vulnerable. It looks

like  all  the staff is on their X-mas vocations or they don't want to

release  new  version  because  latest  one was freshly released (file

dated December 20).


By  default  The  Bat!  stores  attachments  in  C:\Program  Files\The

Bat!\MAIL\%USERNAME%\Attach folder.

(BTW:  I  don't  think storing MAIL in Program Files instead of User's

profile or user's home directory is good idea).

In this configuration

Content-Type: image/gif

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTIzLmV4ZQ==?="

will save attached file as

C:\Windows\Start Menu\Programs\Startup\123.exe

( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe )

There  is  no  need  to know exact level of directory, just add enough

"..\" in the beginning and you will be in the root of the disk.


Disable "File attachment stored separate from message" option. In case

this  option  is disabled there is still 'social engineering' problem,

because  The  Bat!  suggests 'spoofed' directory to save file then you

choose to save it. Be careful.


Not available yet. Wait for new version.

This  advisory  is being provided to you under RFPolicy v.2 documented

at http://www.wiretrip.net/rfp/policy.html.



        { . . }     |\

+--oQQo->{ ^ }<-----+ \

|  3APA3A  U  3APA3A   } You know my name - look up my number (The Beatles)

+-------------o66o--+ /


SECURITY.NNOV is http://www.security.nnov.ru - Russian security project

(C) 1999-2000 All rights reserved.