Re: SECURITY.NNOV: The Bat! <cr> bug

From: -mat- filid brandy (brandyat_private)
Date: Sat Apr 21 2001 - 11:19:00 PDT

  • Next message: Przemyslaw Frasunek: "Mercury for NetWare POP3 server vulnerable to remote buffer overflow" 

    This is a forwarded message
From: Bat Registrierservice <bathelp@is-web.com>
To: GardenStoneat_private <GardenStoneat_private>
Date: Saturday, April 21, 2001, 5:34:36 PM
Subject: The Bat! - Fehlermeldung [BUG-F8FEFAE1]

===8<==============Original message text===============
____________________________________________________________________
Nachricht vom : Freitag, 20. April 2001 <11:21>
zum Thema     : The Bat! - Fehlermeldung [BUG-F8FEFAE1]
Bearbeitung: dhu  <21.04.2001 - 17:32>  Dieter Hummel
Status: done5e
____________________________________________________________________

Antwort von Ritlabs:

  This is not a bug of The Bat! but a bug of MTA (POP3/SMTP servers)
  that allow such odd messages. The proposed "bad-message"
  (http://www.security.nnov.ru/files/badmess.zip) is not
  RFC-compliant. Any RFC-compliant POP3/SMTP server must either bounce
  or cure it. I've used a proposed example to send the message to
  myself, on a FreeBSD server with Sendmail 8.11.1 I've typed
  cat badmess | sendmail -U maxat_private

  This message has been received by a KSI-Linux server with sendmail
  8.8.8 and the POP3 to retrieve was Marc Crispin's daemon v2000.69.

  The message has been received with orphaned LF's replaced to CR-LF
  pairs. Some MTA software in transit has cured the message.

  The Bat! could bounce such odd messages but it doesn't do it
  intentionally because there are some odd mailserver that use single
  LF as a line endings. These servers, however, will quote the dot in
  the end of line and the proposed "bad-message" won't work with them
  either.

 ...und eine weitere kurz hinterher:

  I however made The Bat! to handle CR and LF that strictly to avoid
  this vulnerability.


÷---------------------- [ The Bat! Mailing-Listen ] ----------------------÷
| Abonnieren   Sie   jetzt   gleich   kostenlos  und  unverbindlich  die  |
|        'Offizielle deutschsprachige The Bat! Diskussionsliste'          |
| thebat-dt-subscribeat_private   und   profitieren  Sie  von  der  |
| Erfahrung von über 330 Mitgliedern.                                     |
|                                                                         |
| Sie   sind  mit  The  Bat!  noch  nicht  vertraut  oder  zieren  sich,  |
| vermeintlich  'dumme'  Fragen  zu  stellen?  Dann  ist  die 'Beginner'  |
| Diskussionsliste  das  Richtige  für Sie. Abonnieren Sie unverbindlich  |
| unter thebat-dt-beginner-subscribeat_private und fragen Sie, was  |
| Sie bisher vielleicht nicht wagten...                                   |

÷-------------------------------------------------------------------------÷


Mit freundlichen Grüssen
Integrated Services GbR
Offizielle deutsche Repräsentanz von RITLabs SRL, Moldava
Autorisierter The Bat! Registrier- und Supportservice

--

Online Registrierung : http://www.register-me.de/the_bat/register.html
Hilfedatei v1.5.0    : http://www.BatMail.de

             Integrated Services e.K. | Web-Design  Web-Hosting
                       Fon + Fax: +49.721.151248335
                 Email: sales@is-web.com | dhu@is-web.com
                 The Bat! v1.52 Beta/9 mod [2E7F60DA]

++ Outgoing mail with possible attachment is found to be virus free ++
   Checked by AVP, using database update from 04-18-2001

    This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 14:28:12 PDT