Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: thebat1.htm

The Bat! Two vulnerabilities

    The Bat!


    Win systems


    '3APA3A'  found  following.   "The  Bat!"  by RitLabs is extremely
    convenient mail agent  with a lot  of features for  Win platforms.
    One of  "The Bat!"  features is  storing files  attached to e-mail
    messages apart  from messages  bodies.   In this  case "The  Bat!"
    puts attached files in preconfigured folder and removes  according
    MIME  part  from  message.   Instead,  "The  Bat!" adds additional
    pseudo-header X-BAT-FILES, something like:

        X-BAT-FILES: D:\Home\Incoming\attachment.doc

    There are few possible troubles:
    1. Then  forwarding  message  with  attachment  this header  isn't
       stripped.  This  fact allows recipient  of the forward  to know
       the physical location of the  user's incoming files.  This  can
       be very  useful for  attack like  in "Georgi  Guninski security
       advisory #8, 2000"  because you can  send any file  to user and
       you will know where this file will be located.

    2. "The  Bat!" doesn't  check headers  of the  incoming message to
       contain this header (and this is even more dangerous). Intruder
       can spoof this header, for example to specify

        X-BAT-FILES: C:\WINDOWS\user.dat

    in message headers.  In this case user.dat will appear as  message
    attachment!   If  recipient  will  forward  this  message user.dat
    will  be  attached  to  forward.   If  recipient  will delete this
    message and option "Delete attached file then message deleted from
    trash  folder"  is  checked  C:\WINDOWS\user.dat  will be deleted.
    This was tested with version 1.39.

    This problem  can be  more dangerous   if use  "device path string
    vulnerability".   Intruder can  spoof mail  to add  to the  header
    line like:

        X-BAT-FILES: [drive:]\[device]\[device]

    it will crash operating system.  It can be used follow five device
    drivers  CON, NUL, AUX, CLOCK$  and CONFIG$.  Systems with   FAT16
    do  not  seem  to  be  vulnerable,  while those with FAT32 go Boom
    (based on information provided by Filip Maertens).


    Rit  Labs  released  new  version  1.41  of  The  Bat! with  fixed
    'X-BAT-FILES:' hole.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH