OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: http-equivexcite.com
Date: Mon Apr 02 2001 - 14:20:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Wednesday, 28 March, 2001

    The BAT! ~..~ is a feisty multi-tasking email client that is rapidly gaining
    popularity and for good reason. Cursory examination of it reveals solid
    effective security measures on all fronts, including non-browser dependent
    html viewing (with on/off switch), random named file cache, exceptional
    warnings when clicking on just about any attachment be it *.html, *.txt etc.
    Really very good. Good warning scheme others can learn from.

    One problem. ~..~ ~..~ ~..~

    We are able to blind the The BAT! ~..~ with trivial file extension
    modifications and carefully calculated file name lengths:

    Content-Type:image/gif;
    Content-Transfer-Encoding: base64
    Content-Disposition: inline;
     filename=" what's this?

                                            .gif.exe"

    Will create an inline attachment, which, while not important will not be
    indicted in the in-box. What is important is that the attachment viewed once
    the mail message has been opened will be with the icon of something else. On
    two win98 machines, we achieved the icon of a folder:

    (screen shot: http://www.malware.com/guano.jpg 32KB)

    and the icon of the local machine hard drive. BAT! worse, when clicking the
    icon, the *.exe is executed without warning. The comprehensive warning for
    *.exe attachments is bypassed. As far as the client is concerned there is no
    attachment and their is no file extension, other than what we decide to give
    it.

    Tested on win98 and The Bat! Version 1.51 (The BAT! settings appear to have
    no relation to this),

    Working example (includes harmless *.exe):

    Save to disk

    http://www.malware.com/guano.eml

    Create a new mail message in The Bat! attach the *.eml and click on it and
    then the attachment therein. Manufactured attachment sent directly to the
    The Bat! inbox results in the same.

    Notes: Manufacturer http://www.ritlabs.com/ informs they will repair this in
    the next Beta.

    ~..~

    ---
    http://www.malware.com
    

    _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/