Thursday, March 02, 2000, 5:43:08 PM, 3APA3A wrote: 3> Hello, 3> "The Bat!" by RitLabs is extremely convenient mail agent with a lot of 3> features for Windows platforms. One of "The Bat!" features is storing 3> files attached to e-mail messages apart from messages bodies. In this 3> case "The Bat!" puts attached files in preconfigured folder and 3> removes according MIME part from message. Instead, "The Bat!" adds 3> additional pseudo-header X-BAT-FILES, something like: 3> X-BAT-FILES: D:\Home\Incoming\attachment.doc 3> There are few possible troubles: 3> 1. Then forwarding message with attachment this header isn't stripped. 3> This fact allows recipient of the forward to know the physical 3> location of the user's incoming files. This can be very useful for 3> attack like in "Georgi Guninski security advisory #8, 2000" ;-) 3> because you can send any file to user and you will know where this 3> file will be located. 3> 2. "The Bat!" doesn't check headers of the incoming message to contain 3> this header (and this is even more dangerous). Intruder can spoof this 3> header, for example to specify 3> X-BAT-FILES: C:\WINDOWS\user.dat 3> in message headers. In this case user.dat will appear as message 3> attachment! If recipient will forward this message user.dat will be 3> attached to forward. If recipient will delete this message and option 3> "Delete attached file then message deleted from trash folder" is 3> checked C:\WINDOWS\user.dat will be deleted. 3> Tested with version 1.39 3> Vendor contacted. 3> http://www.security.nnov.ru 3> P.S. "The Bat!" users will see their own c:\autoexec.bat attached to 3> mail... 3> /\_/\ 3> { . . } |\ +--oQQo->>{ ^ }<-----+ \ 3> | 3APA3A U 3APA3A } 3> +-------------o66o--+ / 3> |/ 3> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* This problem can be more dangerous if use "device path string vulnerability" Intruder can spoof mail to add to the header line like: X-BAT-FILES: [drive:]\[device]\[device] it will crash operating system. It can be used follow five device drivers CON, NUL, AUX, CLOCK$ and CONFIG$. Vulnerable systems: Windows 95,98 with FAT32. Systems with FAT16 do not seem to be vulnerable. exploit: Simply add string X-BAT-FILES: c:\con\con the the mail header. Based on information provided by: <mailto:vorlonat_private> Filip Maertens. Best regards, Andrei Koulik mailto:agk@sci-nnov.ru
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:04 PDT