SECURITY.NNOV advisory - The Bat! directory traversal (public release)

This advisory is being provided to you under the policy documented at
http://www.wiretrip.net/rfp/policy.html.

SECURITY.NNOV advisory - The Bat! directory traversal

Topic: The Bat! attachments directory traversal
Author: 3APA3A <[email protected]>
Affected Software: The Bat! Version <= 1.48f
Vendor: RitLabs
Risk: Average
Impact: It's possible to add any file in any directory
on the disk with file archive.
Type: Client software vulnerability
Remotely exploitable: Yes
Released: 21 December 2000
Vendor contacted: 21 December 2000
Public release: 04 January 2001
Vendor URL: http://www.ritlabs.com
Software URL: http://www.thebat.net
SECURITY.NNOV URL: http://www.security.nnov.ru
Credits: Ann Lilith <[email protected]> (wish her good
luck, she will need it :)

Background:
The Bat! is extremely convenient commercially available MUA for
Windows (will be best one then problem will be fixed, I believe) with
lot of features by Ritlabs. The Bat! has a feature to store attached
files independently from message in directory specified by user. This
feature is disabled by default, but commonly used.

Problem:
The Bat! doesn't allow filename of attached file to contain '\'
symbol, if name is specified as clear text. The problem is, that this
check isn't performed then filename specified as RFC's 2047
'encoded-word'.

Impact:
It's possible to add any files in any directory on the disk where user
stores his attachments. For example, attacker can decide to put
backdoor executable in Windows startup folder. Usually it's impossible
to overwrite existing files, because The Bat! will add number to
filename if file already exists. The only case then files can be
overwritten is then "extract files to" is configured in message
filtering rules and "overwrite file" is selected.

Vendor:
Vendor (Rit Labs) was contacted on December, 21. Last reply was on
December, 22. Vendor claims the patch is ready, but this patch was not
provided for testing and version distributed through FTP site
ftp://ftp.ritlabs.com/pub/the_bat/the_bat.exe IS vulnerable. It looks
like all the staff is on their X-mas vocations or they don't want to
release new version because latest one was freshly released (file
dated December 20).

Exploitation:
By default The Bat! stores attachments in C:\Program Files\The
Bat!\MAIL\%USERNAME%\Attach folder.
(BTW: I don't think storing MAIL in Program Files instead of User's
profile or user's home directory is good idea).

In this configuration

Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="=?iso8859-1?B?Li5cLi5cLi5cLi5cLi5cV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcMTIzLmV4ZQ==?="

will save attached file as
C:\Windows\Start Menu\Programs\Startup\123.exe
( …\…\…\…\…\Windows\Start Menu\Programs\Startup\123.exe )

There is no need to know exact level of directory, just add enough
"…\" in the beginning and you will be in the root of the disk.

Workaround:
Disable "File attachment stored separate from message" option. In case
this option is disabled there is still 'social engineering' problem,
because The Bat! suggests 'spoofed' directory to save file then you
choose to save it. Be careful.

Solution:
Not available yet. Wait for new version.

–
/\_/\
{ . . } |\
±-oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A } You know my name - look up my number (The Beatles)
±------------o66o–+ /
|/
SECURITY.NNOV is http://www.security.nnov.ru