[14193] in bugtraq
Re: Minor security problem in The Bat!
daemon@ATHENA.MIT.EDU (Andrei Koulik)
Tue Mar 7 09:38:49 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <6872.000305@sci-nnov.ru>
Date: Sun, 5 Mar 2000 20:57:03 +0300
Reply-To: Andrei Koulik <agk@sci-nnov.ru>
From: Andrei Koulik <agk@SCI-NNOV.RU>
X-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200003021443.RAA31070@adm.sci-nnov.ru>
Thursday, March 02, 2000, 5:43:08 PM, 3APA3A wrote:
3> Hello,
3> "The Bat!" by RitLabs is extremely convenient mail agent with a lot of
3> features for Windows platforms. One of "The Bat!" features is storing
3> files attached to e-mail messages apart from messages bodies. In this
3> case "The Bat!" puts attached files in preconfigured folder and
3> removes according MIME part from message. Instead, "The Bat!" adds
3> additional pseudo-header X-BAT-FILES, something like:
3> X-BAT-FILES: D:\Home\Incoming\attachment.doc
3> There are few possible troubles:
3> 1. Then forwarding message with attachment this header isn't stripped.
3> This fact allows recipient of the forward to know the physical
3> location of the user's incoming files. This can be very useful for
3> attack like in "Georgi Guninski security advisory #8, 2000" ;-)
3> because you can send any file to user and you will know where this
3> file will be located.
3> 2. "The Bat!" doesn't check headers of the incoming message to contain
3> this header (and this is even more dangerous). Intruder can spoof this
3> header, for example to specify
3> X-BAT-FILES: C:\WINDOWS\user.dat
3> in message headers. In this case user.dat will appear as message
3> attachment! If recipient will forward this message user.dat will be
3> attached to forward. If recipient will delete this message and option
3> "Delete attached file then message deleted from trash folder" is
3> checked C:\WINDOWS\user.dat will be deleted.
3> Tested with version 1.39
3> Vendor contacted.
3> http://www.security.nnov.ru
3> P.S. "The Bat!" users will see their own c:\autoexec.bat attached to
3> mail...
3> /\_/\
3> { . . } |\
+--oQQo->>{ ^ }<-----+ \
3> | 3APA3A U 3APA3A }
3> +-------------o66o--+ /
3> |/
3> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
This problem can be more dangerous if use "device path string
vulnerability"
Intruder can spoof mail to add to the header line like:
X-BAT-FILES: [drive:]\[device]\[device]
it will crash operating system.
It can be used follow five device drivers CON, NUL, AUX, CLOCK$ and CONFIG$.
Vulnerable systems: Windows 95,98 with FAT32.
Systems with FAT16 do not seem to be vulnerable.
exploit:
Simply add string
X-BAT-FILES: c:\con\con
the the mail header.
Based on information provided by: <mailto:vorlon@securax.org> Filip Maertens.
Best regards,
Andrei Koulik mailto:agk@sci-nnov.ru
