SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   The Bat! Vendors:   RIT Research Labs
The Bat! E-mail Client MS-DOS Device Access Flaw Lets Remote Users Send Special E-mail to Cause the Recipient's E-mail Client to Crash
SecurityTracker Alert ID:  1003678
SecurityTracker URL:  http://securitytracker.com/id/1003678
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 27 2002
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.53d, 1.54beta
Description:   Security.NNOV issued an advisory warning of a denial of service vulnerability in 'The Bat!' e-mail client software.

It is reported that a remote user can send an e-mail message to a target (victim) user so that The Bat! will attempt to open a special MS-DOS device. If The Bat! is configured to save attachments separately from message bodies, this vulnerability can be triggered.

A remote user can send a file that has the name of special MS-DOS device to cause the software to attempt to open that device. This will reportedly cause the software to stop receiving any messages. Sometimes a warning message is displayed and sometimes no warning is provided, according to the report.

The report indicates that it does not appear to be possible to cause the client to write to the device, but this has not been confirmed.

The vendor has reportedly been notified.

The following is a demonstration exploit transcript:

bash-2.03$ sendmail -U test@test.com
From: test
To: test
Content-Type: apllication/exe; name=lpt1

Test
.

Impact:   A remote user can send a specially crafted e-mail message to a recipient that uses The Bat! e-mail client to cause the recipient's client to stop processing messages.
Solution:   No solution was available at the time of this entry.

The author of the report indicates that, as a workaround, users can disable the "Keep attachment files separately" option or use the "Account/Dispatch Mail On Server" option to delete problematic messages from the server.

Vendor URL:  www.ritlabs.com/the_bat/index.html (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Special device access in The Bat!


Topic:          Special device access in The Bat!
Author:         3APA3A <3APA3A@security.nnov.ru>
Date:           February, 25 2002
Software:       The Bat! 1.53d, 1.54beta
Vendor:         Ritlabs (http://www.thebat.net)
Risk:           Low to average
Remote:         Yes
Exploitable:    Yes
Vendor Status:  Notified, not verified


Details:

The   Bat!   has special device access bug. If The Bat! is configured to
save attachment apart from message bodies and file has a name of special
device  The  Bat!  will attempt to open special device. This kind of bug
was  described  in  [1].  This  bug  was probably reintroduced in one of
latest version, because our previous test with this product 6 months ago
failed.

It's  not  clear at that moment if it's possible to write special device
(for example to send attached file to printer or COM port), but this bug
definitely  can  be  used  as  a DoS attack against The Bat!. After this
message  The  Bat! stops receiving of any messages (sometimes absolutely
silent, sometimes warning displayed that file can't be open).

Workaround:

Disable   "Keep   attachment   files   separately"   option   or   use
Account/Dispatch  Mail  On  Server  option to delete problematic message
from server.

Vendor:

Vendor was contacted twice on February, 19. No replies received.


Exploitation:

bash-2.03$ sendmail -U test@test.com
From: test
To: test
Content-Type: apllication/exe; name=lpt1

Test
.   

References:

[1]  SECURITY.NNOV: Multiple archivers special DOS/Windows
     devices access
     http://www.security.nnov.ru/advisories/archdos.asp


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC