SECURITY.NNOV advisory - The Bat! directory traversal


Topic:                 The Bat! attachments directory traversal
Author:                3APA3A <3APA3A@security.nnov.ru>
Affected Software:     The Bat! Version <= 1.48f (latest available)
Vendor:                RitLabs
Risk:                  Average
Impact:                It's possible to add any file in any directory
                       on the disk with file archive.
Type:                  Client software vulnerability
Remotely exploitable:  Yes
Released:              21 December 2000
Vendor contacted:      21 December 2000
Public release:        04 January  2001
Vendor URL:            http://www.ritlabs.com
Software URL:          http://www.thebat.net
SECURITY.NNOV URL:     http://www.security.nnov.ru (in Russian)
Credits:               Ann Lilith <lilith-@rambler.ru> (wish her good
                       luck, she will need it :)

Background:
The  Bat!  is  extremely  convenient  commercially  available  MUA for
Windows  (will be best one then problem will be fixed, I believe) with
lot  of  features by Ritlabs. The Bat! has a feature to store attached
files  independently from message in directory specified by user. This
feature is disabled by default, but commonly used.

Problem:
The  Bat!  doesn't  allow  filename  of  attached  file to contain '\'
symbol,  if name is specified as clear text. The problem is, that this
check   isn't   performed  then  filename  specified  as  RFC's  2047
'encoded-word'.

Impact:
It's possible to add any files in any directory on the disk where user
stores  his  attachments.  For  example,  attacker  can  decide to put
backdoor executable in Windows startup folder. Usually it's impossible
to  overwrite  existing  files,  because  The  Bat! will add number to
filename  if  file  already  exists.  The  only case then files can be
overwritten  is  then  "extract  files  to"  is  configured in message
filtering rules and "overwrite file" is selected.

Vendor:
Vendor  (Rit  Labs)  was  contacted on December, 21. Last reply was on
December, 22. Vendor claims the patch is ready, but this patch was not
provided   for  testing  and  version  distributed  through  FTP  site
ftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe  IS vulnerable. It looks
like  all  the staff is on their X-mas vocations or they don't want to
release  new  version  because  latest  one was freshly released (file
dated December 20).


Exploitation:
By  default  The  Bat!  stores  attachments  in  C:\Program  Files\The
Bat!\MAIL\%USERNAME%\Attach folder.
(BTW:  I  don't  think storing MAIL in Program Files instead of User's
profile or user's home directory is good idea).
In this configuration

Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTI
zLmV4ZQ==?="

will save attached file as
C:\Windows\Start Menu\Programs\Startup\123.exe
( ..\..\..\..\..\Windows\Start Menu\Programs\Startup\123.exe )

There  is  no  need  to know exact level of directory, just add enough
"..\" in the beginning and you will be in the root of the disk.


Workaround:
Disable "File attachment stored separate from message" option. In case
this  option  is disabled there is still 'social engineering' problem,
because  The  Bat!  suggests 'spoofed' directory to save file then you
choose to save it. Be careful.


Solution:
Not available yet. Wait for new version.

This  advisory  is being provided to you under RFPolicy v.2 documented
at http://www.wiretrip.net/rfp/policy.html.



--
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/
SECURITY.NNOV is http://www.security.nnov.ru - Russian security project