The Bat! E-mail Client Does Not Warn Before Executing Certain Disguised In-line Attachments
SecurityTracker Alert ID: 1001220|
SecurityTracker URL: http://securitytracker.com/id/1001220
(Links to External Site)
Date: Apr 3 2001
Execution of arbitrary code via network|
Exploit Included: Yes |
Version(s): 1.51; others likely|
A vulnerability was reported in The Bat! e-mail client that allows a remote user to send an e-mail to a recipient that is using The Bat! with a disguised in-line attachment. When the recipient clicks on the disguised attachment, no warning will be as the genuine attached file executes.|
With trivial file extension modifications and carefully calculated file name lengths on an attachment sent to a user, The Bat! can be tricked into creating an inline attachment that will not be indicted in the inbox. When the e-mail message is opened, the attachment will appear to have an icon for a different file type.
An demonstration exploit example MIME type is:
filename=" what's this?
When the user clicks on the icon, the specified executable will be executed without warning.
A demonstration exploit example is contained in the source message.
A recipient of a disguised in-line attachment will not receive the usual warning when the recipient clicks on the disguised attachment and the genuine attachment will be executed automatically.|
No solution was available at the time of this entry. The venodr intends to correct this in the next beta version.|
Vendor URL: www.ritlabs.com/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Wednesday, 28 March, 2001
The BAT! ~..~ is a feisty multi-tasking email client that is rapidly gaining
popularity and for good reason. Cursory examination of it reveals solid
effective security measures on all fronts, including non-browser dependent
html viewing (with on/off switch), random named file cache, exceptional
warnings when clicking on just about any attachment be it *.html, *.txt etc.
Really very good. Good warning scheme others can learn from.
One problem. ~..~ ~..~ ~..~
We are able to blind the The BAT! ~..~ with trivial file extension
modifications and carefully calculated file name lengths:
filename=" what's this?
Will create an inline attachment, which, while not important will not be
indicted in the in-box. What is important is that the attachment viewed once
the mail message has been opened will be with the icon of something else. On
two win98 machines, we achieved the icon of a folder:
(screen shot: http://www.malware.com/guano.jpg 32KB)
and the icon of the local machine hard drive. BAT! worse, when clicking the
icon, the *.exe is executed without warning. The comprehensive warning for
*.exe attachments is bypassed. As far as the client is concerned there is no
attachment and their is no file extension, other than what we decide to give
Tested on win98 and The Bat! Version 1.51 (The BAT! settings appear to have
no relation to this),
Working example (includes harmless *.exe):
Save to disk
Create a new mail message in The Bat! attach the *.eml and click on it and
then the attachment therein. Manufactured attachment sent directly to the
The Bat! inbox results in the same.
Notes: Manufacturer http://www.ritlabs.com/ informs they will repair this in
the next Beta.
Send a cool gift with your E-Card