COMMAND

    The Bat!

SYSTEMS AFFECTED

    The Bat! Version <= 1.48f

PROBLEM

    Following  is  based  on  a  Security.NNOV  advisory.  The Bat! is
    extremely convenient commercially available MUA for Windows  (will
    be best one when  problem will be fixed)  with lot of features  by
    Ritlabs.   The  Bat!  has  a  feature  to  store  attached   files
    independently from message in  directory specified by user.   This
    feature is disabled by default, but commonly used.

    The Bat! doesn't  allow filename of  attached file to  contain '\'
    symbol, if name is specified as clear text.  The problem is,  that
    this check isn't performed  then filename specified as  RFC's 2047
    'encoded-word'.

    It's possible to add any files in any directory on the disk  where
    user stores his attachments.  For example, attacker can decide  to
    put backdoor executable in  Windows startup folder.   Usually it's
    impossible to overwrite existing files, because The Bat! will  add
    number to  filename if  file already  exists.   The only case then
    files can be overwritten is then "extract files to" is  configured
    in message filtering rules and "overwrite file" is selected.

    By default The Bat! stores attachments in

        C:\Program Files\The Bat!\MAIL\%USERNAME%\Attach folder

    In this configuration

        Content-Type: image/gif
        Content-Transfer-Encoding: base64
        Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTIzLmV4ZQ==?="

    will save attached file as

        C:\Windows\Start Menu\Programs\Startup\123.exe
        ( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe )

    There is no need to know exact level of directory, just add enough
    "..\" in the beginning and you will be in the root of the disk.

SOLUTION

    This is fixed in the version 1.49.