Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: thebat3.htm

The BAT! security bypassing tactics



Vulnerability

    The BAT!

Affected

    The BAT!

Description

    'http-equiv'  found  following.   The   BAT!  ~..~  is  a   feisty
    multi-tasking email client that is rapidly gaining popularity  and
    for  good  reason.   Cursory  examination  of  it  reveals   solid
    effective security measures  on all fronts,  including non-browser
    dependent html  viewing (with  on/off switch),  random named  file
    cache,  exceptional  warnings  when  clicking  on  just  about any
    attachment  be  it  *.html,  *.txt  etc.   Really very good.  Good
    warning scheme others can learn from.

    Howeber, we are able to blind the The BAT! ~..~ with trivial  file
    extension  modifications  and   carefully  calculated  file   name
    lengths:

        Content-Type:image/gif;
        Content-Transfer-Encoding: base64
        Content-Disposition: inline;
         filename="     what's this?
        
        
        
        
                                                .gif.exe"

    This will create an inline attachment, which, while not  important
    will not be indicted in the in-box.  What is important is that the
    attachment viewed once  the mail message  has been opened  will be
    with  the  icon  of  something  else.   On  two win98 machines, we
    achieved the icon of a folder (screen shot):

        http://www.malware.com/guano.jpg

    and the icon of  the local machine hard  drive.  BAT! worse,  when
    clicking the  icon, the  *.exe is  executed without  warning.  The
    comprehensive warning for *.exe  attachments is bypassed.   As far
    as the client is concerned there is no attachment and their is  no
    file extension, other than what we decide to give it.

    Tested  on  win98  and  The  Bat!  Version 1.51 (The BAT! settings
    appear to have no relation to this).

    Working example (includes harmless *.exe).  Save to disk:

        http://www.malware.com/guano.eml

    Create a new mail message in  The Bat! attach the *.eml and  click
    on it and  then the attachment  therein.  Manufactured  attachment
    sent directly to the The Bat! inbox results in the same.

Solution

    Manufacturer said they will repair this in the next Beta.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH