Bugtraq mailing list archives
Re: SECURITY.NNOV advisory - The Bat! directory traversal (public release)
From: Thomas Fernandez <Thomas.F.ML () gmx net>
Date: Fri, 5 Jan 2001 23:06:36 +0800
Hello 3APA3A, I received this reply from Ritlabs:
Dear Thomas, This is fixed in the version (which is unofficial one) you have and 1.49 is on its way - it will be released tonight :-) Thank you for your support! -- Sincerely, Stefan mailto:bugs () thebat net
Stefan Tanurkov is one of the two developers of The Bat!. -- Cheers, Thomas mailto:Thomas.F.ML () gmx net I'm using The Bat! 1.49 Beta/1 under Chinese Windows 98 4.10 Build 1998 with a Celeron 366Mhz, 128MB RAM On Thu, 4 Jan 2001 21:55:46 +0300 GMT (05/01/2001, 02:55 +0800 GMT), 3APA3A wrote: 3> SECURITY.NNOV advisory - The Bat! directory traversal 3> Topic: The Bat! attachments directory traversal 3> Author: 3APA3A <3APA3A () security nnov ru> 3> Affected Software: The Bat! Version <= 1.48f (latest available) 3> Vendor: RitLabs 3> Risk: Average 3> Impact: It's possible to add any file in any directory 3> on the disk with file archive. 3> Type: Client software vulnerability 3> Remotely exploitable: Yes 3> Released: 21 December 2000 3> Vendor contacted: 21 December 2000 3> Public release: 04 January 2001 3> Vendor URL: http://www.ritlabs.com 3> Software URL: http://www.thebat.net 3> SECURITY.NNOV URL: http://www.security.nnov.ru (in Russian) 3> Credits: Ann Lilith <lilith- () rambler ru> (wish her good 3> luck, she will need it :) 3> Background: 3> The Bat! is extremely convenient commercially available MUA for 3> Windows (will be best one then problem will be fixed, I believe) with 3> lot of features by Ritlabs. The Bat! has a feature to store attached 3> files independently from message in directory specified by user. This 3> feature is disabled by default, but commonly used. 3> Problem: 3> The Bat! doesn't allow filename of attached file to contain '\' 3> symbol, if name is specified as clear text. The problem is, that this 3> check isn't performed then filename specified as RFC's 2047 3> 'encoded-word'. 3> Impact: 3> It's possible to add any files in any directory on the disk where user 3> stores his attachments. For example, attacker can decide to put 3> backdoor executable in Windows startup folder. Usually it's impossible 3> to overwrite existing files, because The Bat! will add number to 3> filename if file already exists. The only case then files can be 3> overwritten is then "extract files to" is configured in message 3> filtering rules and "overwrite file" is selected. 3> Vendor: 3> Vendor (Rit Labs) was contacted on December, 21. Last reply was on 3> December, 22. Vendor claims the patch is ready, but this patch was not 3> provided for testing and version distributed through FTP site 3> ftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe IS vulnerable. It looks 3> like all the staff is on their X-mas vocations or they don't want to 3> release new version because latest one was freshly released (file 3> dated December 20). 3> Exploitation: 3> By default The Bat! stores attachments in C:\Program Files\The 3> Bat!\MAIL\%USERNAME%\Attach folder. 3> (BTW: I don't think storing MAIL in Program Files instead of User's 3> profile or user's home directory is good idea). 3> In this configuration 3> Content-Type: image/gif 3> Content-Transfer-Encoding: base64 3> Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTIzLmV4ZQ==?=" 3> will save attached file as 3> C:\Windows\Start Menu\Programs\Startup\123.exe 3> ( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe ) 3> There is no need to know exact level of directory, just add enough 3> "..\" in the beginning and you will be in the root of the disk. 3> Workaround: 3> Disable "File attachment stored separate from message" option. In case 3> this option is disabled there is still 'social engineering' problem, 3> because The Bat! suggests 'spoofed' directory to save file then you 3> choose to save it. Be careful. 3> Solution: 3> Not available yet. Wait for new version. 3> This advisory is being provided to you under RFPolicy v.2 documented 3> at http://www.wiretrip.net/rfp/policy.html. 3> -- 3> /\_/\ 3> { . . } |\ +--oQQo->>{ ^ }<-----+ \ 3> | 3APA3A U 3APA3A } You know my name - look up my number (The Beatles) 3> +-------------o66o--+ / 3> |/ 3> SECURITY.NNOV is http://www.security.nnov.ru - Russian security project
Current thread:
- SECURITY.NNOV advisory - The Bat! directory traversal (public release) 3APA3A (Jan 04)
- Re: SECURITY.NNOV advisory - The Bat! directory traversal (public release) Thomas Fernandez (Jan 05)