[14156] in bugtraq
Minor security problem in The Bat!
daemon@ATHENA.MIT.EDU (3APA3A)
Fri Mar 3 14:18:03 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Message-Id: <200003021443.RAA31070@adm.sci-nnov.ru>
Date: Thu, 2 Mar 2000 17:43:08 +0300
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
"The Bat!" by RitLabs is extremely convenient mail agent with a lot of
features for Windows platforms. One of "The Bat!" features is storing
files attached to e-mail messages apart from messages bodies. In this
case "The Bat!" puts attached files in preconfigured folder and
removes according MIME part from message. Instead, "The Bat!" adds
additional pseudo-header X-BAT-FILES, something like:
X-BAT-FILES: D:\Home\Incoming\attachment.doc
There are few possible troubles:
1. Then forwarding message with attachment this header isn't stripped.
This fact allows recipient of the forward to know the physical
location of the user's incoming files. This can be very useful for
attack like in "Georgi Guninski security advisory #8, 2000" ;-)
because you can send any file to user and you will know where this
file will be located.
2. "The Bat!" doesn't check headers of the incoming message to contain
this header (and this is even more dangerous). Intruder can spoof this
header, for example to specify
X-BAT-FILES: C:\WINDOWS\user.dat
in message headers. In this case user.dat will appear as message
attachment! If recipient will forward this message user.dat will be
attached to forward. If recipient will delete this message and option
"Delete attached file then message deleted from trash folder" is
checked C:\WINDOWS\user.dat will be deleted.
Tested with version 1.39
Vendor contacted.
http://www.security.nnov.ru
P.S. "The Bat!" users will see their own c:\autoexec.bat attached to
mail...
/\_/\
{ . . } |\
+--oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
+-------------o66o--+ /
|/
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
