{"id": "PACKETSTORM:24042", "type": "packetstorm", "bulletinFamily": "exploit", "title": "thebat.traverse.txt", "description": "", "published": "2001-01-09T00:00:00", "modified": "2001-01-09T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/24042/thebat.traverse.txt.html", "reporter": "3APA3A", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:27:19", "viewCount": 12, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/24042/thebat.traverse.txt", "sourceData": "`SECURITY.NNOV advisory - The Bat! directory traversal \n \n \nTopic: The Bat! attachments directory traversal \nAuthor: 3APA3A <3APA3A@security.nnov.ru> \nAffected Software: The Bat! Version <= 1.48f (latest available) \nVendor: RitLabs \nRisk: Average \nImpact: It's possible to add any file in any directory \non the disk with file archive. \nType: Client software vulnerability \nRemotely exploitable: Yes \nReleased: 21 December 2000 \nVendor contacted: 21 December 2000 \nPublic release: 04 January 2001 \nVendor URL: http://www.ritlabs.com \nSoftware URL: http://www.thebat.net \nSECURITY.NNOV URL: http://www.security.nnov.ru (in Russian) \nCredits: Ann Lilith <lilith-@rambler.ru> (wish her good \nluck, she will need it :) \n \nBackground: \nThe Bat! is extremely convenient commercially available MUA for \nWindows (will be best one then problem will be fixed, I believe) with \nlot of features by Ritlabs. The Bat! has a feature to store attached \nfiles independently from message in directory specified by user. This \nfeature is disabled by default, but commonly used. \n \nProblem: \nThe Bat! doesn't allow filename of attached file to contain '\\' \nsymbol, if name is specified as clear text. The problem is, that this \ncheck isn't performed then filename specified as RFC's 2047 \n'encoded-word'. \n \nImpact: \nIt's possible to add any files in any directory on the disk where user \nstores his attachments. For example, attacker can decide to put \nbackdoor executable in Windows startup folder. Usually it's impossible \nto overwrite existing files, because The Bat! will add number to \nfilename if file already exists. The only case then files can be \noverwritten is then \"extract files to\" is configured in message \nfiltering rules and \"overwrite file\" is selected. \n \nVendor: \nVendor (Rit Labs) was contacted on December, 21. Last reply was on \nDecember, 22. Vendor claims the patch is ready, but this patch was not \nprovided for testing and version distributed through FTP site \nftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe IS vulnerable. It looks \nlike all the staff is on their X-mas vocations or they don't want to \nrelease new version because latest one was freshly released (file \ndated December 20). \n \n \nExploitation: \nBy default The Bat! stores attachments in C:\\Program Files\\The \nBat!\\MAIL\\%USERNAME%\\Attach folder. \n(BTW: I don't think storing MAIL in Program Files instead of User's \nprofile or user's home directory is good idea). \nIn this configuration \n \nContent-Type: image/gif \nContent-Transfer-Encoding: base64 \nContent-Disposition: attachment; filename=\"=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTI \nzLmV4ZQ==?=\" \n \nwill save attached file as \nC:\\Windows\\Start Menu\\Programs\\Startup\\123.exe \n( ..\\..\\..\\..\\..\\Windows\\Start Menu\\Programs\\Startup\\123.exe ) \n \nThere is no need to know exact level of directory, just add enough \n\"..\\\" in the beginning and you will be in the root of the disk. \n \n \nWorkaround: \nDisable \"File attachment stored separate from message\" option. In case \nthis option is disabled there is still 'social engineering' problem, \nbecause The Bat! suggests 'spoofed' directory to save file then you \nchoose to save it. Be careful. \n \n \nSolution: \nNot available yet. Wait for new version. \n \nThis advisory is being provided to you under RFPolicy v.2 documented \nat http://www.wiretrip.net/rfp/policy.html. \n \n \n \n-- \n/\\_/\\ \n{ . . } |\\ \n+--oQQo->{ ^ }<-----+ \\ \n| 3APA3A U 3APA3A } You know my name - look up my number (The Beatles) \n+-------------o66o--+ / \n|/ \nSECURITY.NNOV is http://www.security.nnov.ru - Russian security project \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645443434, "score": 1659770509}}