SECURITY.NNOV: Special device access in The Bat!

2002-02-27T00:00:00
ID SECURITYVULNS:DOC:2555
Type securityvulns
Reporter Securityvulns
Modified 2002-02-27T00:00:00

Description

Dear bugtraq,

Topic: Special device access in The Bat! Author: 3APA3A <3APA3A@security.nnov.ru> Date: February, 25 2002 Software: The Bat! 1.53d, 1.54beta Vendor: Ritlabs (http://www.thebat.net) Risk: Low to average Remote: Yes Exploitable: Yes Vendor Status: Notified, not verified

Details:

The Bat! has special device access bug. If The Bat! is configured to save attachment apart from message bodies and file has a name of special device The Bat! will attempt to open special device. This kind of bug was described in [1]. This bug was probably reintroduced in one of latest version, because our previous test with this product 6 months ago failed.

It's not clear at that moment if it's possible to write special device (for example to send attached file to printer or COM port), but this bug definitely can be used as a DoS attack against The Bat!. After this message The Bat! stops receiving of any messages (sometimes absolutely silent, sometimes warning displayed that file can't be open).

Workaround:

Disable "Keep attachment files separately" option or use Account/Dispatch Mail On Server option to delete problematic message from server.

Vendor:

Vendor was contacted twice on February, 19. No replies received.

Exploitation:

bash-2.03$ sendmail -U test@test.com From: test To: test Content-Type: apllication/exe; name=lpt1

Test .

References:

[1] SECURITY.NNOV: Multiple archivers special DOS/Windows devices access http://www.security.nnov.ru/advisories/archdos.asp

-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)