SECURITY.NNOV: The Bat! <cr> bug

2001-04-18T00:00:00
ID SECURITYVULNS:DOC:1525
Type securityvulns
Reporter Securityvulns
Modified 2001-04-18T00:00:00

Description

SECURITY.NNOV URL: http://www.security.nnov.ru Topic: The Bat! <cr> bug Application: The Bat! 1.51 (latest) Vendor: RitLabs Category: Denial of Service Risk Factor: Low Remote: Yes Vendor Contacted: 13.04.2001 Software URL: http://www.thebat.net Vendor URL: http://www.ritlabs.com

+Introduction:

The Bat! Is very convenient commercially available MUA for Windows with lot of features.

+Details:

While RETRiving message via POP3 (IMAP isn't tested) The Bat! incorrectly processes 0x0D (CR) character if it's not followed by 0x0A (LF). Probably each 0x0D character is treated as 2 octets and The Bat! incorrectly calculates size of the message and the part of message is treated as reply from POP3 server. The Bat! fails to receive the rest of the messages and fails to delete received messages from server. This leads to DoS against user's POP3 account. Malformed message can emulate any POP3 server replies.

+Exploitation:

Extract attached "badmessage" and send it, e.g. using

cat badmessage | sendmail -U victim@somewhere.net

or copy it to user's mailbox. This message causes The Bat! to show something like:

!13.04.2001, 17:51:01: FETCH - Server reports error. The response is: --ERR Wrong User: replace user with your system administrator--

+Workaround:

use "Dispatch Mail on Server" feature to delete malformed message from server or use different MUA.

+Solution:

No yet.

+Vendor:

RitLabs was contacted on April, 13 (happy Easter to you, guys). No feedback yet.

This advisory is being provided to you under RFPolicy v.2 documented at http://www.wiretrip.net/rfp/policy.html.

-- http://www.security.nnov.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)