thebat.traverse.txt

`SECURITY.NNOV advisory - The Bat! directory traversal  
  
  
Topic: The Bat! attachments directory traversal  
Author: 3APA3A <[email protected]>  
Affected Software: The Bat! Version <= 1.48f (latest available)  
Vendor: RitLabs  
Risk: Average  
Impact: It's possible to add any file in any directory  
on the disk with file archive.  
Type: Client software vulnerability  
Remotely exploitable: Yes  
Released: 21 December 2000  
Vendor contacted: 21 December 2000  
Public release: 04 January 2001  
Vendor URL: http://www.ritlabs.com  
Software URL: http://www.thebat.net  
SECURITY.NNOV URL: http://www.security.nnov.ru (in Russian)  
Credits: Ann Lilith <[email protected]> (wish her good  
luck, she will need it :)  
  
Background:  
The Bat! is extremely convenient commercially available MUA for  
Windows (will be best one then problem will be fixed, I believe) with  
lot of features by Ritlabs. The Bat! has a feature to store attached  
files independently from message in directory specified by user. This  
feature is disabled by default, but commonly used.  
  
Problem:  
The Bat! doesn't allow filename of attached file to contain '\'  
symbol, if name is specified as clear text. The problem is, that this  
check isn't performed then filename specified as RFC's 2047  
'encoded-word'.  
  
Impact:  
It's possible to add any files in any directory on the disk where user  
stores his attachments. For example, attacker can decide to put  
backdoor executable in Windows startup folder. Usually it's impossible  
to overwrite existing files, because The Bat! will add number to  
filename if file already exists. The only case then files can be  
overwritten is then "extract files to" is configured in message  
filtering rules and "overwrite file" is selected.  
  
Vendor:  
Vendor (Rit Labs) was contacted on December, 21. Last reply was on  
December, 22. Vendor claims the patch is ready, but this patch was not  
provided for testing and version distributed through FTP site  
ftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe IS vulnerable. It looks  
like all the staff is on their X-mas vocations or they don't want to  
release new version because latest one was freshly released (file  
dated December 20).  
  
  
Exploitation:  
By default The Bat! stores attachments in C:\Program Files\The  
Bat!\MAIL\%USERNAME%\Attach folder.  
(BTW: I don't think storing MAIL in Program Files instead of User's  
profile or user's home directory is good idea).  
In this configuration  
  
Content-Type: image/gif  
Content-Transfer-Encoding: base64  
Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTI  
zLmV4ZQ==?="  
  
will save attached file as  
C:\Windows\Start Menu\Programs\Startup\123.exe  
( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe )  
  
There is no need to know exact level of directory, just add enough  
"..\" in the beginning and you will be in the root of the disk.  
  
  
Workaround:  
Disable "File attachment stored separate from message" option. In case  
this option is disabled there is still 'social engineering' problem,  
because The Bat! suggests 'spoofed' directory to save file then you  
choose to save it. Be careful.  
  
  
Solution:  
Not available yet. Wait for new version.  
  
This advisory is being provided to you under RFPolicy v.2 documented  
at http://www.wiretrip.net/rfp/policy.html.  
  
  
  
--  
/\_/\  
{ . . } |\  
+--oQQo->{ ^ }<-----+ \  
| 3APA3A U 3APA3A } You know my name - look up my number (The Beatles)  
+-------------o66o--+ /  
|/  
SECURITY.NNOV is http://www.security.nnov.ru - Russian security project  
`