From: Syaefullah Siddik <[EMAIL PROTECTED]> Oy-oy, fyi ajah nih buat yang oake the bat... :) Kalo udah tau sorry... Dike The Bat! file extension vulnerability poses a security threat ------------------------------------------------------------------------ SUMMARY <http://www.ritlabs.com/> The BAT! is a feisty multi-tasking email client that is rapidly gaining popularity. Cursory examination of it reveals solid effective security measures on all fronts, including non-browser dependent HTML viewing (with on/off switch), random named file cache, exceptional warnings when clicking on just about any attachment be it *.html, *.txt etc. A security vulnerability in the product allows bypassing some of The Bat!'s security features, allowing saving of attachments to places other then the temp directory and causing the user to execute programs without being warned about it. DETAILS Vulnerable systems: The Bat! version 1.51 A security vulnerability in The Bat enables us to blind the The BAT! with just a trivial file extension modifications and a carefully calculated file name length. Example: Content-Type:image/gif; Content-Transfer-Encoding: base64 Content-Disposition: inline; filename=" what's this? .gif.exe" This will create an inline attachment, which will not be indicted in the in-box. What is more important is that the when the mail message has been opened, the attachment viewed will be with the icon of something else. On two win98 machines, we achieved the icon of a folder: (Screen shot: <http://www.malware.com/guano.jpg> http://www.malware.com/guano.jpg 32KB) And the icon of the local machine's hard drive. What is even worse is that when a user clicks on the icon, the *.exe is executed without warning. The comprehensive warning for *.exe attachments is bypassed. As far as the client is concerned there is no attachment and there is no file extension, other than what we decide to give it. Exploit: Working example (includes harmless *.exe): Save to disk: <http://www.malware.com/guano.eml> http://www.malware.com/guano.eml Create a new mail message in The Bat!, attach the *.eml and click on it and then the attachment therein. Manufactured attachment sent directly to the The Bat! Inbox results in the same. Vendor Response: Manufacturer <http://www.ritlabs.com/> http://www.ritlabs.com/ informs they will repair this in the next Beta. ADDITIONAL INFORMATION The information has been provided by Anonymous. -- Compu-Mania MailingList, provided by PT Centrin Online Tbk Unsubscribe: [EMAIL PROTECTED], body: unsubscribe Compu-Mania Archive: http://www.mail-archive.com/[email protected]/ Info: [EMAIL PROTECTED], body: help
