COMMAND
The BAT!
SYSTEMS AFFECTED
The BAT!
PROBLEM
'http-equiv' found following. The BAT! ~..~ is a feisty
multi-tasking email client that is rapidly gaining popularity and
for good reason. Cursory examination of it reveals solid
effective security measures on all fronts, including non-browser
dependent html viewing (with on/off switch), random named file
cache, exceptional warnings when clicking on just about any
attachment be it *.html, *.txt etc. Really very good. Good
warning scheme others can learn from.
Howeber, we are able to blind the The BAT! ~..~ with trivial file
extension modifications and carefully calculated file name
lengths:
Content-Type:image/gif;
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename=" what's this?
.gif.exe"
This will create an inline attachment, which, while not important
will not be indicted in the in-box. What is important is that the
attachment viewed once the mail message has been opened will be
with the icon of something else. On two win98 machines, we
achieved the icon of a folder (screen shot):
http://www.malware.com/guano.jpg
and the icon of the local machine hard drive. BAT! worse, when
clicking the icon, the *.exe is executed without warning. The
comprehensive warning for *.exe attachments is bypassed. As far
as the client is concerned there is no attachment and their is no
file extension, other than what we decide to give it.
Tested on win98 and The Bat! Version 1.51 (The BAT! settings
appear to have no relation to this).
Working example (includes harmless *.exe). Save to disk:
http://www.malware.com/guano.eml
Create a new mail message in The Bat! attach the *.eml and click
on it and then the attachment therein. Manufactured attachment
sent directly to the The Bat! inbox results in the same.
SOLUTION
Manufacturer said they will repair this in the next Beta.