COMMAND
The Bat!
SYSTEMS AFFECTED
Win systems
PROBLEM
'3APA3A' found following. "The Bat!" by RitLabs is extremely
convenient mail agent with a lot of features for Win platforms.
One of "The Bat!" features is storing files attached to e-mail
messages apart from messages bodies. In this case "The Bat!"
puts attached files in preconfigured folder and removes according
MIME part from message. Instead, "The Bat!" adds additional
pseudo-header X-BAT-FILES, something like:
X-BAT-FILES: D:\Home\Incoming\attachment.doc
There are few possible troubles:
1. Then forwarding message with attachment this header isn't
stripped. This fact allows recipient of the forward to know
the physical location of the user's incoming files. This can
be very useful for attack like in "Georgi Guninski security
advisory #8, 2000" because you can send any file to user and
you will know where this file will be located.
2. "The Bat!" doesn't check headers of the incoming message to
contain this header (and this is even more dangerous). Intruder
can spoof this header, for example to specify
X-BAT-FILES: C:\WINDOWS\user.dat
in message headers. In this case user.dat will appear as message
attachment! If recipient will forward this message user.dat
will be attached to forward. If recipient will delete this
message and option "Delete attached file then message deleted from
trash folder" is checked C:\WINDOWS\user.dat will be deleted.
This was tested with version 1.39.
This problem can be more dangerous if use "device path string
vulnerability". Intruder can spoof mail to add to the header
line like:
X-BAT-FILES: [drive:]\[device]\[device]
it will crash operating system. It can be used follow five device
drivers CON, NUL, AUX, CLOCK$ and CONFIG$. Systems with FAT16
do not seem to be vulnerable, while those with FAT32 go Boom
(based on information provided by Filip Maertens).
SOLUTION
Rit Labs released new version 1.41 of The Bat! with fixed
'X-BAT-FILES:' hole.