SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Client)  >   The Bat! Vendors:   RIT Research Labs
(Vendor Issues Fix) The Bat! Windows E-mail Client Allows File Storage in Unauthorized Directories
SecurityTracker Alert ID:  1000541
SecurityTracker URL:  http://securitytracker.com/id/1000541
CVE Reference:   CVE-2001-0676   (Links to External Site)
Updated:  Mar 6 2004
Original Entry Date:  Jan 5 2001
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): up through 1.48f
Description:   It has been advised that "The Bat!" (an e-mail client) contains a vulnerability that may allow any user of the e-mail client to save files in an unauthorized directory on the disk where file storage is provided.

SECURITY.NNOV released an advisory indicating that The Bat! performs unauthorized directory traversal.

Under normal operation, users can store attached files independently of the original e-mail message in a user-specific directory. This feature is disabled by default, but is reportedly used often. The Bat! does not ordinarily permit the filename to contain the '\' symbol. However, if the filename is specified as an RFC 2047 encoded word, the character checking is not performed. This allows the user to specify any directory on the disk.

The vendor (Rit Labs) was reportedly contacted on December 21, 2000.
Impact:   A malicious user of the e-mail client can save files in any directory of the disk where file storage is performed. The user could save malicious batch files or executables. Apparently, it is usually only possible to write new files and not overwrite existing files. However, files can be overwritten if the "extract files to" feature is configured in the message filtering rules and the "overwrite file" function is selected.
Solution:   The vendor has released a fixed version (1.49).
Vendor URL:  www.ritlabs.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 5 2001 The Bat! Windows E-mail Client Allows File Storage in Unauthorized Directories


 Source Message Contents
Date:  Fri, 5 Jan 2001 23:06:36 +0800
Subject:  Re: SECURITY.NNOV advisory - The Bat! directory traversal (public


Hello 3APA3A,

I received this reply from Ritlabs:

> Dear Thomas,
>
>
> This is fixed in the version (which is unofficial one) you have and
> 1.49 is on its way - it will be released tonight :-)
>
>
> Thank you for your support!
>
>
>
> --
> Sincerely,
>  Stefan                            mailto:bugs@thebat.net

Stefan Tanurkov is one of the two developers of The Bat!.

--

Cheers,
Thomas                            mailto:Thomas.F.ML@gmx.net

I'm using The Bat! 1.49 Beta/1 under Chinese Windows 98
4.10 Build 1998 with a Celeron 366Mhz, 128MB RAM

On         Thu, 4 Jan 2001 21:55:46 +0300 GMT (05/01/2001, 02:55 +0800 GMT),
3APA3A wrote:

3> SECURITY.NNOV advisory - The Bat! directory traversal


3> Topic:                 The Bat! attachments directory traversal
3> Author:                3APA3A <3APA3A@security.nnov.ru>
3> Affected Software:     The Bat! Version <= 1.48f (latest available)
3> Vendor:                RitLabs
3> Risk:                  Average
3> Impact:                It's possible to add any file in any directory
3>                        on the disk with file archive.
3> Type:                  Client software vulnerability
3> Remotely exploitable:  Yes
3> Released:              21 December 2000
3> Vendor contacted:      21 December 2000
3> Public release:        04 January  2001
3> Vendor URL:            http://www.ritlabs.com
3> Software URL:          http://www.thebat.net
3> SECURITY.NNOV URL:     http://www.security.nnov.ru (in Russian)
3> Credits:               Ann Lilith <lilith-@rambler.ru> (wish her good
3>                        luck, she will need it :)

3> Background:
3> The  Bat!  is  extremely  convenient  commercially  available  MUA for
3> Windows  (will be best one then problem will be fixed, I believe) with
3> lot  of  features by Ritlabs. The Bat! has a feature to store attached
3> files  independently from message in directory specified by user. This
3> feature is disabled by default, but commonly used.

3> Problem:
3> The  Bat!  doesn't  allow  filename  of  attached  file to contain '\'
3> symbol,  if name is specified as clear text. The problem is, that this
3> check   isn't   performed  then  filename  specified  as  RFC's  2047
3> 'encoded-word'.

3> Impact:
3> It's possible to add any files in any directory on the disk where user
3> stores  his  attachments.  For  example,  attacker  can  decide to put
3> backdoor executable in Windows startup folder. Usually it's impossible
3> to  overwrite  existing  files,  because  The  Bat! will add number to
3> filename  if  file  already  exists.  The  only case then files can be
3> overwritten  is  then  "extract  files  to"  is  configured in message
3> filtering rules and "overwrite file" is selected.

3> Vendor:
3> Vendor  (Rit  Labs)  was  contacted on December, 21. Last reply was on
3> December, 22. Vendor claims the patch is ready, but this patch was not
3> provided   for  testing  and  version  distributed  through  FTP  site
3> ftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe  IS vulnerable. It looks
3> like  all  the staff is on their X-mas vocations or they don't want to
3> release  new  version  because  latest  one was freshly released (file
3> dated December 20).


3> Exploitation:
3> By  default  The  Bat!  stores  attachments  in  C:\Program  Files\The
3> Bat!\MAIL\%USERNAME%\Attach folder.
3> (BTW:  I  don't  think storing MAIL in Program Files instead of User's
3> profile or user's home directory is good idea).
3> In this configuration

3> Content-Type: image/gif
3> Content-Transfer-Encoding: base64
3> Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTIzLmV4ZQ==?="

3> will save attached file as
3> C:\Windows\Start Menu\Programs\Startup\123.exe
3> ( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe )

3> There  is  no  need  to know exact level of directory, just add enough
3> "..\" in the beginning and you will be in the root of the disk.


3> Workaround:
3> Disable "File attachment stored separate from message" option. In case
3> this  option  is disabled there is still 'social engineering' problem,
3> because  The  Bat!  suggests 'spoofed' directory to save file then you
3> choose to save it. Be careful.


3> Solution:
3> Not available yet. Wait for new version.

3> This  advisory  is being provided to you under RFPolicy v.2 documented
3> at http://www.wiretrip.net/rfp/policy.html.



3> --
3>          /\_/\
3>         { . . }     |\
+--oQQo->>{ ^ }<-----+ \
3> |  3APA3A  U  3APA3A   } You know my name - look up my number (The Beatles)
3> +-------------o66o--+ /
3>                     |/
3> SECURITY.NNOV is http://www.security.nnov.ru - Russian security project


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC