COMMAND
The Bat!
SYSTEMS AFFECTED
The Bat! 1.51 (latest)
PROBLEM
3APA3A found following. There is more fun then security impact
in this issue, but it's a kind of DoS and can give a lot of
headache to postmasters. The Bat! is very convenient commercially
available MUA for Windows with lot of features.
While RETRiving message via POP3 (IMAP isn't tested) The Bat!
incorrectly processes 0x0D (CR) character if it's not followed by
0x0A (LF). The Bat! incorrectly calculates end of the message and
the part of message is treated as reply from POP3 server. The
Bat! fails to receive the rest of the messages and fails to delete
received messages from server. This leads to DoS against user's
POP3 account. Malformed message can emulate any POP3 server
replies.
For exploitation, extract attached "badmessage" and send it, e.g.
using
cat badmessage | sendmail -U victim@somewhere.net
or copy it to user's mailbox. This message causes The Bat! to
show something like:
!13.04.2001, 17:51:01: FETCH - Server reports error. The response is: --ERR Wrong User: replace user with your system administrator--
message is crafted to do not contain this text somewhere in the
body.
---
Content-Type: application/octet-stream; name="badmess.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="badmess.zip"
Content-MD5: dq0gD0D8rsjIUxp7zuVmNg==
UEsDBBQAAAAIACCPjSoKbVmJuAEAAAMEAAAHACQAYmFkbWVzcwoAIAAAAAAAAQAYAAAeNJwh
xMABwOLkTyLEwAHAstHPG8TAAa1S32/TMBB+5iT+h2NPTCOpna0QvFGtbB0qUgC1KTy7idca
Gjvyj7H899hRtAmx9mVYebBz39333d13Y3SDSq913V1aUXkjXZcqpe9S47Hcepy2BmmGdMwI
Zdk7zAihcM2dYDH8JsYiJP5+BJ2QM0LwdbG8PobIwPZRQCGs5RuRzGuGF7EIOaMZpYSm36ZT
QrNx/k/OBK60ckK5pDRc2VthkpmqdC3VhmG+lg5KvZ9w6dc/ReWCemEdNoEeinkxS74LY6VW
DGlKHgm6NvTZ+J2TLTdu1Mh7UZ/Di7X2quam+3A0Wyzwh9FqgysrDEMj2h2vBPrwwt/SbbHT
3qDtrBMN8rqRSlpnuNPmCJaOO28ZrgDKrbQYPo69GqEq3lq/C3Oue5FhRpAkz2D7uycn7t0o
5Ep1YJi/tMwTA4AIZcA/6PifQoaaI3Nb5Vl2fkBNv1mY9IZtAyS1lUyGrb6yXNVdvLi41SeM
+/awcU8ZIeyU4gnJonE/FWV/O97rT5J+mU4zkufj/P1lJJ3AzeJrMdjqYo/7JrBcffw8uyoH
3Esc7AgA89C4UXw3RJ46+IBxAyaFZ24jSeAPUEsBAhkAFAAAAAgAII+NKgptWYm4AQAAAwQA
AAcAAAAAAAAAAAAgAAAAAAAAAGJhZG1lc3NQSwUGAAAAAAEAAQA1AAAAAQIAAAAA
-----
Ritlabs claims this is not a bug of The Bat! but a bug of MTA
(POP3/SMTP servers) that allow such odd messages. The proposed
"bad-message" (http://www.security.nnov.ru/files/badmess.zip) is
not RFC-compliant. Any RFC-compliant POP3/SMTP server must either
bounce or cure it.
The Bat! could bounce such odd messages but it doesn't do it
intentionally because there are some odd mailserver that use
single LF as a line endings. These servers, however, will quote
the dot in the end of line and the proposed "bad-message" won't
work with them either.
They are wrong. This message _is_ RFC 822 and RFC 1251 compliant.
In fact, RFC 822 absolutely clear allows <CR> and <LF> even in
some message headers:
text = <any CHAR, including bare ; => atoms, specials,
CR & bare LF, but NOT ; comments and
including CRLF> ; quoted-strings are
; NOT recognized.
_any_ pop3 server shouldn't change this message, because RFC 1939
follows RFC 822 for message standard. RFC 821 (SMTP) simply says
"The mail data may contain any of the 128 ASCII character codes".
RFC 1251 allow message to contains any binary data and strings of
any length. In fact, sendmail allows any characters (including
NULL) to be in message body. "badmess" was tested with sendmail
8.9.3 + mail.local + UW-pop3d 7.59.
SOLUTION
Use "Dispatch Mail on Server" feature to delete malformed message
from server or use different MUA as workaround. No proper
solution.
Ritlabs made The Bat! to handle CR and LF that strictly to avoid
this vulnerability. The Bat! v1.42 Beta/10 released Sat, 21 Apr
2001 fixes CR handling described. It is now strict to line
endings. Only <CR><LF>.<CR><LF> is now treated as end of message.