Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Client)  >   The Bat! Vendors:   RIT Research Labs
The Bat! E-mail Client Does Not Warn Before Executing Certain Disguised In-line Attachments
SecurityTracker Alert ID:  1001220
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 3 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 1.51; others likely
Description:   A vulnerability was reported in The Bat! e-mail client that allows a remote user to send an e-mail to a recipient that is using The Bat! with a disguised in-line attachment. When the recipient clicks on the disguised attachment, no warning will be as the genuine attached file executes.

With trivial file extension modifications and carefully calculated file name lengths on an attachment sent to a user, The Bat! can be tricked into creating an inline attachment that will not be indicted in the inbox. When the e-mail message is opened, the attachment will appear to have an icon for a different file type.

An demonstration exploit example MIME type is:

Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename=" what's this?


When the user clicks on the icon, the specified executable will be executed without warning.

A demonstration exploit example is contained in the source message.

Impact:   A recipient of a disguised in-line attachment will not receive the usual warning when the recipient clicks on the disguised attachment and the genuine attachment will be executed automatically.
Solution:   No solution was available at the time of this entry. The venodr intends to correct this in the next beta version.
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  ~..~!guano

Wednesday, 28 March, 2001

The BAT! ~..~ is a feisty multi-tasking email client that is rapidly gaining
popularity and for good reason. Cursory examination of it reveals solid
effective security measures on all fronts, including non-browser dependent
html viewing (with on/off switch), random named file cache, exceptional
warnings when clicking on just about any attachment be it *.html, *.txt etc.
Really very good. Good warning scheme others can learn from.

One problem. ~..~          ~..~           ~..~

We are able to blind the The BAT! ~..~ with trivial file extension
modifications and carefully calculated file name lengths:

Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="     what's this?


Will create an inline attachment, which, while not important will not be
indicted in the in-box. What is important is that the attachment viewed once
the mail message has been opened will be with the icon of something else. On
two win98 machines, we achieved the icon of a folder:

(screen shot: 32KB)

and the icon of the local machine hard drive. BAT! worse, when clicking the
icon, the *.exe is executed without warning. The comprehensive warning for
*.exe attachments is bypassed. As far as the client is concerned there is no
attachment and their is no file extension, other than what we decide to give

Tested on win98 and The Bat! Version 1.51 (The BAT! settings appear to have
no relation to this),

Working example (includes harmless *.exe):

Save to disk

Create a new mail message in The Bat! attach the *.eml and click on it and
then the attachment therein. Manufactured attachment sent directly to the
The Bat! inbox results in the same.

Notes: Manufacturer informs they will repair this in
the next Beta.



Send a cool gift with your E-Card


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC