Re: Minor security problem in The Bat!

[agk () SCI-NNOV RU (Andrei Koulik)]

Thursday, March 02, 2000, 5:43:08 PM, 3APA3A wrote:

3> Hello,

3> "The Bat!" by RitLabs is extremely convenient mail agent with a lot of
3> features  for Windows platforms. One of "The Bat!" features is storing
3> files  attached to e-mail messages apart from messages bodies. In this
3> case  "The  Bat!"  puts  attached  files  in  preconfigured folder and
3> removes  according  MIME  part  from message. Instead, "The Bat!" adds
3> additional pseudo-header X-BAT-FILES, something like:

3>       X-BAT-FILES: D:\Home\Incoming\attachment.doc

3> There are few possible troubles:

3> 1. Then forwarding message with attachment this header isn't stripped.
3> This  fact  allows  recipient  of  the  forward  to  know the physical
3> location  of  the  user's  incoming files. This can be very useful for
3> attack  like  in  "Georgi  Guninski  security  advisory  #8, 2000" ;-)
3> because  you  can  send  any file to user and you will know where this
3> file will be located.

3> 2. "The Bat!" doesn't check headers of the incoming message to contain
3> this header (and this is even more dangerous). Intruder can spoof this
3> header, for example to specify
3>     X-BAT-FILES: C:\WINDOWS\user.dat
3> in  message  headers.  In  this  case  user.dat will appear as message
3> attachment!  If  recipient  will forward this message user.dat will be
3> attached  to forward. If recipient will delete this message and option
3> "Delete  attached  file  then  message  deleted  from trash folder" is
3> checked C:\WINDOWS\user.dat will be deleted.

3> Tested with version 1.39

3> Vendor contacted.

3> http://www.security.nnov.ru

3> P.S.  "The Bat!" users will see their own c:\autoexec.bat  attached to
3> mail...
3>          /\_/\
3>         { . . }     |\
+--oQQo->>{ ^ }<-----+ \
3> |  3APA3A  U  3APA3A   }
3> +-------------o66o--+ /
3>                     |/
3> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This problem can be more dangerous  if use "device path string
vulnerability"

Intruder can spoof mail to add to the header line like:
  X-BAT-FILES: [drive:]\[device]\[device]
it will crash  operating system.
It can be used follow five device drivers  CON, NUL, AUX, CLOCK$ and CONFIG$.
Vulnerable systems: Windows 95,98 with FAT32.
Systems with  FAT16  do not seem to be vulnerable.

exploit:
 Simply add string
   X-BAT-FILES: c:\con\con
 the the mail header.

Based on information provided by:  <mailto:vorlon () securax org> Filip Maertens.

Best regards,
 Andrei Koulik                            mailto:agk () sci-nnov ru