[18449] in bugtraq
Re: SECURITY.NNOV advisory - The Bat! directory traversal (public
daemon@ATHENA.MIT.EDU (Thomas Fernandez)
Fri Jan 5 16:02:05 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <1361942592.20010105230636@gmx.net>
Date: Fri, 5 Jan 2001 23:06:36 +0800
Reply-To: Thomas Fernandez <Thomas.F.ML@gmx.net>
From: Thomas Fernandez <Thomas.F.ML@GMX.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <1341414855444.20010104215546@SECURITY.NNOV.RU>
Hello 3APA3A,
I received this reply from Ritlabs:
> Dear Thomas,
>
>
> This is fixed in the version (which is unofficial one) you have and
> 1.49 is on its way - it will be released tonight :-)
>
>
> Thank you for your support!
>
>
>
> --
> Sincerely,
> Stefan mailto:bugs@thebat.net
Stefan Tanurkov is one of the two developers of The Bat!.
--
Cheers,
Thomas mailto:Thomas.F.ML@gmx.net
I'm using The Bat! 1.49 Beta/1 under Chinese Windows 98
4.10 Build 1998 with a Celeron 366Mhz, 128MB RAM
On Thu, 4 Jan 2001 21:55:46 +0300 GMT (05/01/2001, 02:55 +0800 GMT),
3APA3A wrote:
3> SECURITY.NNOV advisory - The Bat! directory traversal
3> Topic: The Bat! attachments directory traversal
3> Author: 3APA3A <3APA3A@security.nnov.ru>
3> Affected Software: The Bat! Version <= 1.48f (latest available)
3> Vendor: RitLabs
3> Risk: Average
3> Impact: It's possible to add any file in any directory
3> on the disk with file archive.
3> Type: Client software vulnerability
3> Remotely exploitable: Yes
3> Released: 21 December 2000
3> Vendor contacted: 21 December 2000
3> Public release: 04 January 2001
3> Vendor URL: http://www.ritlabs.com
3> Software URL: http://www.thebat.net
3> SECURITY.NNOV URL: http://www.security.nnov.ru (in Russian)
3> Credits: Ann Lilith <lilith-@rambler.ru> (wish her good
3> luck, she will need it :)
3> Background:
3> The Bat! is extremely convenient commercially available MUA for
3> Windows (will be best one then problem will be fixed, I believe) with
3> lot of features by Ritlabs. The Bat! has a feature to store attached
3> files independently from message in directory specified by user. This
3> feature is disabled by default, but commonly used.
3> Problem:
3> The Bat! doesn't allow filename of attached file to contain '\'
3> symbol, if name is specified as clear text. The problem is, that this
3> check isn't performed then filename specified as RFC's 2047
3> 'encoded-word'.
3> Impact:
3> It's possible to add any files in any directory on the disk where user
3> stores his attachments. For example, attacker can decide to put
3> backdoor executable in Windows startup folder. Usually it's impossible
3> to overwrite existing files, because The Bat! will add number to
3> filename if file already exists. The only case then files can be
3> overwritten is then "extract files to" is configured in message
3> filtering rules and "overwrite file" is selected.
3> Vendor:
3> Vendor (Rit Labs) was contacted on December, 21. Last reply was on
3> December, 22. Vendor claims the patch is ready, but this patch was not
3> provided for testing and version distributed through FTP site
3> ftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe IS vulnerable. It looks
3> like all the staff is on their X-mas vocations or they don't want to
3> release new version because latest one was freshly released (file
3> dated December 20).
3> Exploitation:
3> By default The Bat! stores attachments in C:\Program Files\The
3> Bat!\MAIL\%USERNAME%\Attach folder.
3> (BTW: I don't think storing MAIL in Program Files instead of User's
3> profile or user's home directory is good idea).
3> In this configuration
3> Content-Type: image/gif
3> Content-Transfer-Encoding: base64
3> Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTIzLmV4ZQ==?="
3> will save attached file as
3> C:\Windows\Start Menu\Programs\Startup\123.exe
3> ( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe )
3> There is no need to know exact level of directory, just add enough
3> "..\" in the beginning and you will be in the root of the disk.
3> Workaround:
3> Disable "File attachment stored separate from message" option. In case
3> this option is disabled there is still 'social engineering' problem,
3> because The Bat! suggests 'spoofed' directory to save file then you
3> choose to save it. Be careful.
3> Solution:
3> Not available yet. Wait for new version.
3> This advisory is being provided to you under RFPolicy v.2 documented
3> at http://www.wiretrip.net/rfp/policy.html.
3> --
3> /\_/\
3> { . . } |\
+--oQQo->>{ ^ }<-----+ \
3> | 3APA3A U 3APA3A } You know my name - look up my number (The Beatles)
3> +-------------o66o--+ /
3> |/
3> SECURITY.NNOV is http://www.security.nnov.ru - Russian security project
