Re: SECURITY.NNOV advisory - The Bat! directory traversal (public release)

[Thomas Fernandez <Thomas.F.ML () gmx net>]

Hello 3APA3A,

I received this reply from Ritlabs:

> Dear Thomas,
>
>
> This is fixed in the version (which is unofficial one) you have and
> 1.49 is on its way - it will be released tonight :-)
>
>
> Thank you for your support!
>
>
>
> --
> Sincerely,
>  Stefan                            mailto:bugs () thebat net

Stefan Tanurkov is one of the two developers of The Bat!.

--

Cheers,
Thomas                            mailto:Thomas.F.ML () gmx net

I'm using The Bat! 1.49 Beta/1 under Chinese Windows 98
4.10 Build 1998 with a Celeron 366Mhz, 128MB RAM

On         Thu, 4 Jan 2001 21:55:46 +0300 GMT (05/01/2001, 02:55 +0800 GMT),
3APA3A wrote:

3> SECURITY.NNOV advisory - The Bat! directory traversal


3> Topic:                 The Bat! attachments directory traversal
3> Author:                3APA3A <3APA3A () security nnov ru>
3> Affected Software:     The Bat! Version <= 1.48f (latest available)
3> Vendor:                RitLabs
3> Risk:                  Average
3> Impact:                It's possible to add any file in any directory
3>                        on the disk with file archive.
3> Type:                  Client software vulnerability
3> Remotely exploitable:  Yes
3> Released:              21 December 2000
3> Vendor contacted:      21 December 2000
3> Public release:        04 January  2001
3> Vendor URL:            http://www.ritlabs.com
3> Software URL:          http://www.thebat.net
3> SECURITY.NNOV URL:     http://www.security.nnov.ru (in Russian)
3> Credits:               Ann Lilith <lilith- () rambler ru> (wish her good
3>                        luck, she will need it :)

3> Background:
3> The  Bat!  is  extremely  convenient  commercially  available  MUA for
3> Windows  (will be best one then problem will be fixed, I believe) with
3> lot  of  features by Ritlabs. The Bat! has a feature to store attached
3> files  independently from message in directory specified by user. This
3> feature is disabled by default, but commonly used.

3> Problem:
3> The  Bat!  doesn't  allow  filename  of  attached  file to contain '\'
3> symbol,  if name is specified as clear text. The problem is, that this
3> check   isn't   performed  then  filename  specified  as  RFC's  2047
3> 'encoded-word'.

3> Impact:
3> It's possible to add any files in any directory on the disk where user
3> stores  his  attachments.  For  example,  attacker  can  decide to put
3> backdoor executable in Windows startup folder. Usually it's impossible
3> to  overwrite  existing  files,  because  The  Bat! will add number to
3> filename  if  file  already  exists.  The  only case then files can be
3> overwritten  is  then  "extract  files  to"  is  configured in message
3> filtering rules and "overwrite file" is selected.

3> Vendor:
3> Vendor  (Rit  Labs)  was  contacted on December, 21. Last reply was on
3> December, 22. Vendor claims the patch is ready, but this patch was not
3> provided   for  testing  and  version  distributed  through  FTP  site
3> ftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe  IS vulnerable. It looks
3> like  all  the staff is on their X-mas vocations or they don't want to
3> release  new  version  because  latest  one was freshly released (file
3> dated December 20).


3> Exploitation:
3> By  default  The  Bat!  stores  attachments  in  C:\Program  Files\The
3> Bat!\MAIL\%USERNAME%\Attach folder.
3> (BTW:  I  don't  think storing MAIL in Program Files instead of User's
3> profile or user's home directory is good idea).
3> In this configuration

3> Content-Type: image/gif
3> Content-Transfer-Encoding: base64
3> Content-Disposition: attachment; 
filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTIzLmV4ZQ==?="

3> will save attached file as
3> C:\Windows\Start Menu\Programs\Startup\123.exe
3> ( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe )

3> There  is  no  need  to know exact level of directory, just add enough
3> "..\" in the beginning and you will be in the root of the disk.


3> Workaround:
3> Disable "File attachment stored separate from message" option. In case
3> this  option  is disabled there is still 'social engineering' problem,
3> because  The  Bat!  suggests 'spoofed' directory to save file then you
3> choose to save it. Be careful.


3> Solution:
3> Not available yet. Wait for new version.

3> This  advisory  is being provided to you under RFPolicy v.2 documented
3> at http://www.wiretrip.net/rfp/policy.html.



3> --
3>          /\_/\
3>         { . . }     |\
+--oQQo->>{ ^ }<-----+ \
3> |  3APA3A  U  3APA3A   } You know my name - look up my number (The Beatles)
3> +-------------o66o--+ /
3>                     |/
3> SECURITY.NNOV is http://www.security.nnov.ru - Russian security project