-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings TB! Users,
In case any of your aren't on BugTraq (likely for the majority?), this
was sent in a while ago.
I haven't attached the original file attachment for obvious reasons,
so if anyone is interested in it, I can send it to any of you
privately. Note the work-around towards the bottom.
(I'm hoping this has already been addressed in the latest Betas.)
- -Brian
==================================================================
Subject: SECURITY.NNOV: The Bat! <cr> bug
Author: 3APA3A <[EMAIL PROTECTED]>
Dated: Wednesday, April 18, 2001
Files: badmess.zip
==================================================================
There is more fun then security impact in this issue, but it's a kind
of DoS and can give a lot of headache to postmasters.
=-------8<----------------------------------
SECURITY.NNOV URL: http://www.security.nnov.ru
Topic: The Bat! <cr> bug
Application: The Bat! 1.51 (latest)
Vendor: RitLabs
Category: Denial of Service
Risk Factor: Low
Remote: Yes
Vendor Contacted: 13.04.2001
Software URL: http://www.thebat.net
Vendor URL: http://www.ritlabs.com
+Introduction:
The Bat! Is very convenient commercially available MUA for Windows
with lot of features.
+Details:
While RETRiving message via POP3 (IMAP isn't tested) The Bat!
incorrectly processes 0x0D (CR) character if it's not followed by
0x0A (LF). The Bat! incorrectly calculates end of the message and the
part of message is treated as reply from POP3 server. The Bat! fails
to receive the rest of the messages and fails to delete received
messages from server. This leads to DoS against user's POP3 account.
Malformed message can emulate any POP3 server replies.
+Exploitation:
Extract attached "badmessage" and send it, e.g. using
cat badmessage | sendmail -U [EMAIL PROTECTED]
or copy it to user's mailbox.
This message causes The Bat! to show something like:
!13.04.2001, 17:51:01: FETCH - Server reports error. The response is: --ERR Wrong
User: replace user with your system administrator--
message is crafted to do not contain this text somewhere in the body.
+Workaround:
use "Dispatch Mail on Server" feature to delete malformed message
from server or use different MUA.
+Solution:
No yet.
+Vendor:
RitLabs was contacted on April, 13 (happy Easter to you, guys). No
feedback yet.
This advisory is being provided to you under RFPolicy v.2 documented
at http://www.wiretrip.net/rfp/policy.html.
- --
http://www.security.nnov.ru
/\_/\
{ . . } |\
+--oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt (Build 04)
Comment: Not at this time, thanks.
iQA/AwUBOt/ES7Wi5fvk0MfIEQJHsgCg/hXURBN3sxkI/Ke4syW9nE1E8BIAoIBZ
CKg3PsDi2Gpaa1yE5RU0s3Xt
=sBlO
-----END PGP SIGNATURE-----
--
______________________________________________________
Archives : <http://tbudl.thebat.dutaint.com>
Moderators : <mailto:[EMAIL PROTECTED]>
TBTech List: <mailto:[EMAIL PROTECTED]>
Unsubscribe: <mailto:[EMAIL PROTECTED]>
You are subscribed as : archive@jab.org
