Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: bt1332.txt

The Bat! - Some serious security holes





'The Bat!' [http://www.ritlabs.com/] is a powerful, highly configurable,
MULTI-USER, yet easy to use email client.

I have discoverd some serious security holes in 'The Bat!'

mmm..., when a new account is created in 'The Bat!' It creates the
account in %programfiledir%\The Bat!\MAIL\ without implimenting any
proper ACL! so even a guest USER IS ABLE TO READ! THE "MESSAGES.TBB"
"MESSAGES.TBI" of both 'INBOX' AND 'OUTBOX' by just creating a new
account [in a local or remote PC] and putting the files in the NEW USERS
'inbox' and 'outbox' and using ! The Bat! itself to READ THE
FILE/email's.

More sevier, "MESSAGES.TBB" and "MESSAGES.TBI" are stored in PLAIN
TEXT!!!

Even worst! The Bat! stores the password in Account.cfg of the users
directory... [say... %programfiledir%\The Bat!\MAIL\NEW_USER\] If there
is another user have equal right's! he could just delete the account.cfg
and READ another USER'S PASSWORD PROTECTED EMAIL WITHOUT ANY
PROBLEM's!!!/RESTRICTION!!!

---------------------
FUNNY
---------------------

I copied the ACCOUNT.CFG file from the %programfiledir%\The
Bat!\MAIL\ADMINISTRATOR\

I WAS ABLE TO inject the encrypted password of mine [simply, using a hex
editor] into the ACCOUNT.CFG of \ADMINISTRATOR\ by copying it to a new
directory and then making few email adjustments etc... i was completely
able to, not only HIJACK "MESSAGES.TBB" and "MESSAGES.TBI" of the admin.
account but also TAKING CONTROL/ACCESSING/USE ACCOUNT.CFG of the
ADMINistrator form a guest account.

------------------------------------------------
Some possible solution, until update's are relesed!
------------------------------------------------

Creating the new user account in %userprofile% [when possible] insted of
%programfiledir%\The Bat!\MAIL\ or changing path of The Bat! folder to
%userprofile% so that ACL's of NTFS will handle the rest!

[After you create a new account [folder] in %userprofile% you could then
simply copy all of your goodees from %programfiledir%\The
Bat!\MAIL\YOUR_ACCOUNT-FILE to %userprofile%\YOUR_ACCOUNT-FILE \

Checking proper ACL! manually, or implimenting proper rules by using a
3'rd party software so that it's hard to SPY INTO "MESSAGES.TBB" and
"MESSAGES.TBI" by unauthorised USER!

--------------------------------
Shouldn't the developer's....
--------------------------------

Store the encrypted password in the headers of "MESSAGES.TBB" and
"MESSAGES.TBI" insted of seperate file!!! so that 'The Bat!' can
effectively check if the file is password protected or not before it
opens the content!

Encrypting the content's of "MESSAGES.TBB" and "MESSAGES.TBI" [and other
cfg files...] insted of putting it all in a plain text!!!

I don't think the developrs wanna see a worm that grep's all the @
[heee... email account's] from "MESSAGES.TBB" and "MESSAGES.TBI" files
AND PLAY THRASH.....



--[Background Information]--

This bug was originally discovered by hUNT3R, a member of 01 Security
Sumbission. The vendor was notified via email.

http://www.ysgnet.com/hn



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH