[19997] in bugtraq
~..~!guano
daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Mon Apr 2 17:29:00 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <2920454.986239232851.JavaMail.imail@goochy.excite.com>
Date: Mon, 2 Apr 2001 12:20:26 -0700
Reply-To: http-equiv@excite.com
From: "http-equiv@excite.com" <http-equiv@excite.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Wednesday, 28 March, 2001
The BAT! ~..~ is a feisty multi-tasking email client that is rapidly gaining
popularity and for good reason. Cursory examination of it reveals solid
effective security measures on all fronts, including non-browser dependent
html viewing (with on/off switch), random named file cache, exceptional
warnings when clicking on just about any attachment be it *.html, *.txt etc.
Really very good. Good warning scheme others can learn from.
One problem. ~..~ ~..~ ~..~
We are able to blind the The BAT! ~..~ with trivial file extension
modifications and carefully calculated file name lengths:
Content-Type:image/gif;
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename=" what's this?
.gif.exe"
Will create an inline attachment, which, while not important will not be
indicted in the in-box. What is important is that the attachment viewed once
the mail message has been opened will be with the icon of something else. On
two win98 machines, we achieved the icon of a folder:
(screen shot: http://www.malware.com/guano.jpg 32KB)
and the icon of the local machine hard drive. BAT! worse, when clicking the
icon, the *.exe is executed without warning. The comprehensive warning for
*.exe attachments is bypassed. As far as the client is concerned there is no
attachment and their is no file extension, other than what we decide to give
it.
Tested on win98 and The Bat! Version 1.51 (The BAT! settings appear to have
no relation to this),
Working example (includes harmless *.exe):
Save to disk
http://www.malware.com/guano.eml
Create a new mail message in The Bat! attach the *.eml and click on it and
then the attachment therein. Manufactured attachment sent directly to the
The Bat! inbox results in the same.
Notes: Manufacturer http://www.ritlabs.com/ informs they will repair this in
the next Beta.
~..~
---
http://www.malware.com
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
