SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   The Bat! Vendors:   RIT Research Labs
The Bat! File Permissions Let Local Users Access the Mail of Other Local Users
SecurityTracker Alert ID:  1008004
SecurityTracker URL:  http://securitytracker.com/id/1008004
CVE Reference:   CVE-2003-1133   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Oct 27 2003
Impact:   Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in The Bat! e-mail client software. A local user can access a target user's e-mail.

It is reported that The Bat! creates new accounts with unsafe permissions in the %programfiledir%\The Bat!\MAIL\ directory. A local user can reportedly view inbox and outbox messages.

hUNT3R of 01 Security Sumbission is credited with discovery.

The vendor has reportedly been notified.

Impact:   A local user can view a target user's e-mail.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ritlabs.com/en/products/thebat/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Some serious security holes in 'The Bat!'


'The Bat!' [http://www.ritlabs.com/] is a powerful,
highly configurable, MULTI-USER, yet easy to use email
client.

I have discoverd some serious security holes in 'The
Bat!'

mmm..., when a new account is created in 'The Bat!' It
creates the account in %programfiledir%\The Bat!\MAIL\
without implimenting any proper ACL! so even a guest
USER IS ABLE TO READ! THE "MESSAGES.TBB"
"MESSAGES.TBI" of both 'INBOX' AND 'OUTBOX' by just
creating a new account [in a local or remote PC] and
putting the files in the NEW USERS 'inbox' and
'outbox' and using ! The Bat! itself to READ THE
FILE/email's.


More sevier, "MESSAGES.TBB" and "MESSAGES.TBI" are
stored in PLAIN TEXT!!!

Even worst! The Bat! stores the password in
Account.cfg of the users directory... [say...
%programfiledir%\The Bat!\MAIL\NEW_USER\] If there is
another user have equal right's! he could just delete
the account.cfg and READ another USER'S PASSWORD
PROTECTED EMAIL WITHOUT ANY
PROBLEM's!!!/RESTRICTION!!!

---------------------
FUNNY
---------------------
I copied the ACCOUNT.CFG file from the
%programfiledir%\The Bat!\MAIL\ADMINISTRATOR\

I WAS ABLE TO inject the encrypted password of mine
[simply, using a hex editor] into the ACCOUNT.CFG of
\ADMINISTRATOR\ by copying it to a new directory and
then making few email adjustments etc... i was
completely able to, not only HIJACK "MESSAGES.TBB" and
"MESSAGES.TBI"
of the admin. account but also TAKING
CONTROL/ACCESSING/USE ACCOUNT.CFG of the ADMINistrator
form a guest account.

------------------------------------------------
 Some possible solution, until update's are relesed!
------------------------------------------------
Creating the new user account in %userprofile% [when
possible] insted of %programfiledir%\The Bat!\MAIL\ or
changing path of The Bat! folder to %userprofile% so
that ACL's of NTFS will handle the rest!

[After you create a new account [folder] in
%userprofile% you could then simply copy all of your
goodees from %programfiledir%\The
Bat!\MAIL\YOUR_ACCOUNT-FILE to
%userprofile%\YOUR_ACCOUNT-FILE \

Checking proper ACL! manually, or implimenting proper
rules by using a 3'rd party software so that it's hard
to SPY INTO "MESSAGES.TBB" and "MESSAGES.TBI" by
unauthorised USER!

--------------------------------
Shouldn't the developer's....
--------------------------------
Store the encrypted password in the headers of
"MESSAGES.TBB" and "MESSAGES.TBI" insted of seperate
file!!! so that 'The Bat!' can effectively check if
the file is password protected or not before it opens
the content!
Encrypting the content's of "MESSAGES.TBB" and
"MESSAGES.TBI" [and other cfg files...] insted of
putting it all in a plain text!!!

I don't think the developrs wanna see a worm that
grep's all the @ [heee... email account's] from
"MESSAGES.TBB" and "MESSAGES.TBI" files AND PLAY
THRASH.....

--[Background Information]--
This bug was originally discovered by hUNT3R, a member
of 01 Security Sumbission. The vendor was notified via
email.
http://www.ysgnet.com/hn




__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC