SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   The Bat! Vendors:   RIT Research Labs
The Bat! Windows E-mail Client Allows File Storage in Unauthorized Directories
SecurityTracker Alert ID:  1000538
SecurityTracker URL:  http://securitytracker.com/id/1000538
CVE Reference:   CVE-2001-0676   (Links to External Site)
Updated:  Mar 6 2004
Original Entry Date:  Jan 5 2001
Impact:   Modification of system information, Modification of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): up through 1.48f
Description:   It has been advised that "The Bat!" (an e-mail client) contains a vulnerability that may allow any user of the e-mail client to save files in an unauthorized directory on the disk where file storage is provided.

SECURITY.NNOV released an advisory indicating that The Bat! performs unauthorized directory traversal.

Under normal operation, users can store attached files independently of the original e-mail message in a user-specific directory. This feature is disabled by default, but is reportedly used often. The Bat! does not ordinarily permit the filename to contain the '\' symbol. However, if the filename is specified as an RFC 2047 encoded word, the character checking is not performed. This allows the user to specify any directory on the disk.

The vendor (Rit Labs) was reportedly contacted on December 21, 2000.

Impact:   A malicious user of the e-mail client can save files in any directory of the disk where file storage is performed. The user could save malicious batch files or executables. Apparently, it is usually only possible to write new files and not overwrite existing files. However, files can be overwritten if the "extract files to" feature is configured in the message filtering rules and the "overwrite file" function is selected.
Solution:   In the short term, you can disable file storage. No vendor solution was available at the time of this entry.
Vendor URL:  www.ritlabs.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  SECURITY.NNOV advisory - The Bat! directory traversal (public


SECURITY.NNOV advisory - The Bat! directory traversal


Topic:                 The Bat! attachments directory traversal
Author:                3APA3A <3APA3A@security.nnov.ru>
Affected Software:     The Bat! Version <= 1.48f (latest available)
Vendor:                RitLabs
Risk:                  Average
Impact:                It's possible to add any file in any directory
                       on the disk with file archive.
Type:                  Client software vulnerability
Remotely exploitable:  Yes
Released:              21 December 2000
Vendor contacted:      21 December 2000
Public release:        04 January  2001
Vendor URL:            http://www.ritlabs.com
Software URL:          http://www.thebat.net
SECURITY.NNOV URL:     http://www.security.nnov.ru (in Russian)
Credits:               Ann Lilith <lilith-@rambler.ru> (wish her good
                       luck, she will need it :)

Background:
The  Bat!  is  extremely  convenient  commercially  available  MUA for
Windows  (will be best one then problem will be fixed, I believe) with
lot  of  features by Ritlabs. The Bat! has a feature to store attached
files  independently from message in directory specified by user. This
feature is disabled by default, but commonly used.

Problem:
The  Bat!  doesn't  allow  filename  of  attached  file to contain '\'
symbol,  if name is specified as clear text. The problem is, that this
check   isn't   performed  then  filename  specified  as  RFC's  2047
'encoded-word'.

Impact:
It's possible to add any files in any directory on the disk where user
stores  his  attachments.  For  example,  attacker  can  decide to put
backdoor executable in Windows startup folder. Usually it's impossible
to  overwrite  existing  files,  because  The  Bat! will add number to
filename  if  file  already  exists.  The  only case then files can be
overwritten  is  then  "extract  files  to"  is  configured in message
filtering rules and "overwrite file" is selected.

Vendor:
Vendor  (Rit  Labs)  was  contacted on December, 21. Last reply was on
December, 22. Vendor claims the patch is ready, but this patch was not
provided   for  testing  and  version  distributed  through  FTP  site
ftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe  IS vulnerable. It looks
like  all  the staff is on their X-mas vocations or they don't want to
release  new  version  because  latest  one was freshly released (file
dated December 20).


Exploitation:
By  default  The  Bat!  stores  attachments  in  C:\Program  Files\The
Bat!\MAIL\%USERNAME%\Attach folder.
(BTW:  I  don't  think storing MAIL in Program Files instead of User's
profile or user's home directory is good idea).
In this configuration

Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTIzLmV4ZQ==?="

will save attached file as
C:\Windows\Start Menu\Programs\Startup\123.exe
( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe )

There  is  no  need  to know exact level of directory, just add enough
"..\" in the beginning and you will be in the root of the disk.


Workaround:
Disable "File attachment stored separate from message" option. In case
this  option  is disabled there is still 'social engineering' problem,
because  The  Bat!  suggests 'spoofed' directory to save file then you
choose to save it. Be careful.


Solution:
Not available yet. Wait for new version.

This  advisory  is being provided to you under RFPolicy v.2 documented
at http://www.wiretrip.net/rfp/policy.html.



--
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/
SECURITY.NNOV is http://www.security.nnov.ru - Russian security project

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC