SECURITY.NNOV advisory - The Bat! directory traversal (public release)

2001-01-04T00:00:00
ID SECURITYVULNS:DOC:1129
Type securityvulns
Reporter Securityvulns
Modified 2001-01-04T00:00:00

Description

This advisory is being provided to you under the policy documented at http://www.wiretrip.net/rfp/policy.html.

SECURITY.NNOV advisory - The Bat! directory traversal

Topic: The Bat! attachments directory traversal Author: 3APA3A <3APA3A@security.nnov.ru> Affected Software: The Bat! Version <= 1.48f Vendor: RitLabs Risk: Average Impact: It's possible to add any file in any directory on the disk with file archive. Type: Client software vulnerability Remotely exploitable: Yes Released: 21 December 2000 Vendor contacted: 21 December 2000 Public release: 04 January 2001 Vendor URL: http://www.ritlabs.com Software URL: http://www.thebat.net SECURITY.NNOV URL: http://www.security.nnov.ru Credits: Ann Lilith <lilith-@rambler.ru> (wish her good luck, she will need it :)

Background: The Bat! is extremely convenient commercially available MUA for Windows (will be best one then problem will be fixed, I believe) with lot of features by Ritlabs. The Bat! has a feature to store attached files independently from message in directory specified by user. This feature is disabled by default, but commonly used.

Problem: The Bat! doesn't allow filename of attached file to contain '\' symbol, if name is specified as clear text. The problem is, that this check isn't performed then filename specified as RFC's 2047 'encoded-word'.

Impact: It's possible to add any files in any directory on the disk where user stores his attachments. For example, attacker can decide to put backdoor executable in Windows startup folder. Usually it's impossible to overwrite existing files, because The Bat! will add number to filename if file already exists. The only case then files can be overwritten is then "extract files to" is configured in message filtering rules and "overwrite file" is selected.

Vendor: Vendor (Rit Labs) was contacted on December, 21. Last reply was on December, 22. Vendor claims the patch is ready, but this patch was not provided for testing and version distributed through FTP site ftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe IS vulnerable. It looks like all the staff is on their X-mas vocations or they don't want to release new version because latest one was freshly released (file dated December 20).

Exploitation: By default The Bat! stores attachments in C:\Program Files\The Bat!\MAIL\%USERNAME%\Attach folder. (BTW: I don't think storing MAIL in Program Files instead of User's profile or user's home directory is good idea).

In this configuration

Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTIzLmV4ZQ==?="

will save attached file as C:\Windows\Start Menu\Programs\Startup\123.exe ( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe )

There is no need to know exact level of directory, just add enough "..\" in the beginning and you will be in the root of the disk.

Workaround: Disable "File attachment stored separate from message" option. In case this option is disabled there is still 'social engineering' problem, because The Bat! suggests 'spoofed' directory to save file then you choose to save it. Be careful.

Solution: Not available yet. Wait for new version.

-- /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/ SECURITY.NNOV is http://www.security.nnov.ru