===================Original message text===============
From: Jason K. Fritcher <[EMAIL PROTECTED]>
To: Steve Lamb <[EMAIL PROTECTED]>
Date: Friday, March 03, 2000, 9:36:48 AM
Subject: : Minor security problem in The Bat!
Received: from lizard (lizard.it.earthlink.net [207.217.90.90]) by
peacock.prod.itd.earthlink.net (8.9.3/8.9.3) with SMTP id JAA10244 for
<[EMAIL PROTECTED]>; Fri, 3 Mar 2000 09:37:15 -0800 (PST)
Message-Id: <[EMAIL PROTECTED]>
From: "Jason K. Fritcher" <[EMAIL PROTECTED]>
To: "Steve Lamb" <[EMAIL PROTECTED]>
Date: Fri, 03 Mar 2000 09:36:48 -0800
Reply-To: "Jason K. Fritcher" <[EMAIL PROTECTED]>
Priority: Normal
X-Mailer: PMMail 98 Professional (2.01.1600) For Windows NT (4.0.1381;5)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Fwd: Minor security problem in The Bat!
X-UIDL: b9d6672ba413f27909974251e05ed23c
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is good. :)
==================BEGIN FORWARDED MESSAGE==================
>X-BAT-FILES: c:\autoexec.bat
>Date: Thu, 2 Mar 2000 17:43:08 +0300
>Reply-To: 3APA3A <[EMAIL PROTECTED]>
>From: 3APA3A <[EMAIL PROTECTED]>
>Subject: Minor security problem in The Bat!
>X-To: [EMAIL PROTECTED]
>X-cc: Stanislav Polozov <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
Hello,
"The Bat!" by RitLabs is extremely convenient mail agent with a lot of
features for Windows platforms. One of "The Bat!" features is storing
files attached to e-mail messages apart from messages bodies. In this
case "The Bat!" puts attached files in preconfigured folder and
removes according MIME part from message. Instead, "The Bat!" adds
additional pseudo-header X-BAT-FILES, something like:
X-BAT-FILES: D:\Home\Incoming\attachment.doc
There are few possible troubles:
1. Then forwarding message with attachment this header isn't stripped.
This fact allows recipient of the forward to know the physical
location of the user's incoming files. This can be very useful for
attack like in "Georgi Guninski security advisory #8, 2000" ;-)
because you can send any file to user and you will know where this
file will be located.
2. "The Bat!" doesn't check headers of the incoming message to contain
this header (and this is even more dangerous). Intruder can spoof this
header, for example to specify
X-BAT-FILES: C:\WINDOWS\user.dat
in message headers. In this case user.dat will appear as message
attachment! If recipient will forward this message user.dat will be
attached to forward. If recipient will delete this message and option
"Delete attached file then message deleted from trash folder" is
checked C:\WINDOWS\user.dat will be deleted.
Tested with version 1.39
Vendor contacted.
http://www.security.nnov.ru
P.S. "The Bat!" users will see their own c:\autoexec.bat attached to
mail...
/\_/\
{ . . } |\
+--oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
+-------------o66o--+ /
|/
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
===================END FORWARDED MESSAGE===================
- --
Jason K. Fritcher
Software Developer, Business Web Hosting
[EMAIL PROTECTED]
(626) 296-5880 x65880
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.0 (C) 1997 Pretty Good Privacy, Inc
iQA/AwUBOL/4MFPJrl2frl/uEQK5JQCg7FDm2N6Hkhjcpu1Cx0xGrVyyMIIAoMlV
LCqyElQCx+n8NqIFW+DVlDsL
=s3Zg
-----END PGP SIGNATURE-----
================End of original message text===========
--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
ICQ: 5107343 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
You are subscribed as : archive@jab.org
