| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1685551114.20040116123443@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: The Bat! 2.01 memory corruption
Dear bugtraq,
AGK (agk at sandy.ru) discovered The Bat! 2.01 to throw exception on few
messages. It looks like The Bat! 2.01 in standard configuration (with
build-in PGP support) has a bug with processing PGP signed messages
(protocol="application/pgp-signature") with multiple recursively
included parts. I did not any debugging and problem may be in something
else, but changing layout of parts and signatures makes The Bat! to read
_and write_ different unallocated memory regions, potentially it may be
exploitable to code execution. Because The Bat! has it's own exception
handler, application does not crash.
Vendor (RitLabs) was contacted and replied he was unable to reproduce
this bug in 2.03 Beta and latest release 2.02 CE is _probably_ not
vulnerable to. I did not any validation. 1.x versions are not
vulnerable.
Example of message attached.
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/
-------------- next part --------------
An embedded message was scrubbed...
From: "Test"
Subject: no subject
Date: 31 Dec 2003 23:42:47 +0300
Size: 1832
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040116/41813bc4/batcrash.mht
Powered by blists - more mailing lists