Some serious security holes in 'The Bat!'

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Some serious security holes in 'The Bat!'
From: Bipin Gautam hUNT3R <door_hunt3r@xxxxxxxxxxxxxxxxx>
Date: 25 Oct 2003 19:00:12 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


'The Bat!' [http://www.ritlabs.com/] is a powerful, highly configurable, 
MULTI-USER, yet easy to use email client.

I have discoverd some serious security holes in 'The Bat!'

mmm..., when a new account is created in 'The Bat!' It creates the account in 
%programfiledir%\The Bat!\MAIL\ without implimenting any proper ACL! so even a 
guest USER IS ABLE TO READ! THE "MESSAGES.TBB" "MESSAGES.TBI" of both 'INBOX' 
AND 'OUTBOX' by just creating a new account [in a local or remote PC] and 
putting the files in the NEW USERS 'inbox' and 'outbox' and using ! The Bat! 
itself to READ THE FILE/email's.


More sevier, "MESSAGES.TBB" and "MESSAGES.TBI" are stored in PLAIN TEXT!!!

Even worst! The Bat! stores the password in Account.cfg of the users 
directory... [say... %programfiledir%\The Bat!\MAIL\NEW_USER\] If there is 
another user have equal right's! he could just delete the account.cfg and READ 
another USER'S PASSWORD PROTECTED EMAIL WITHOUT ANY PROBLEM's!!!/RESTRICTION!!!

---------------------
FUNNY
---------------------
I copied the ACCOUNT.CFG file from the %programfiledir%\The 
Bat!\MAIL\ADMINISTRATOR\

I WAS ABLE TO inject the encrypted password of mine [simply, using a hex 
editor] into the ACCOUNT.CFG of \ADMINISTRATOR\ by copying it to a new 
directory and then making few email adjustments etc... i was completely able 
to, not only HIJACK "MESSAGES.TBB" and "MESSAGES.TBI"
of the admin. account but also TAKING CONTROL/ACCESSING/USE ACCOUNT.CFG of the 
ADMINistrator form a guest account.

------------------------------------------------
 Some possible solution, until update's are relesed!
------------------------------------------------
Creating the new user account in %userprofile% [when possible] insted of 
%programfiledir%\The Bat!\MAIL\ or changing path of The Bat! folder to 
%userprofile% so that ACL's of NTFS will handle the rest!

[After you create a new account [folder] in %userprofile% you could then simply 
copy all of your goodees from %programfiledir%\The Bat!\MAIL\YOUR_ACCOUNT-FILE 
to %userprofile%\YOUR_ACCOUNT-FILE \

Checking proper ACL! manually, or implimenting proper rules by using a 3'rd 
party software so that it's hard to SPY INTO "MESSAGES.TBB" and "MESSAGES.TBI" 
by unauthorised USER!

--------------------------------
Shouldn't the developer's....
--------------------------------
Store the encrypted password in the headers of "MESSAGES.TBB" and 
"MESSAGES.TBI" insted of seperate file!!! so that 'The Bat!' can effectively 
check if the file is password protected or not before it opens the content!
Encrypting the content's of "MESSAGES.TBB" and "MESSAGES.TBI" [and other cfg 
files...] insted of putting it all in a plain text!!!

I don't think the developrs wanna see a worm that grep's all the @ [heee... 
email account's] from "MESSAGES.TBB" and "MESSAGES.TBI" files AND PLAY 
THRASH.....

--[Background Information]--
This bug was originally discovered by hUNT3R, a member of 01 Security 
Sumbission. The vendor was notified via email.
http://www.ysgnet.com/hn

Prev by Date: Re: Internet Explorer and Opera local zone restriction bypass
Next by Date: Java 1.4.2_02 InsecurityManager JVM crash
Previous by thread: New Vulnerability
Next by thread: Java 1.4.2_02 InsecurityManager JVM crash
Index(es):
- Date
- Thread