Advisory: NSAG-¹198-23.02.2006 Research: NSA Group [Russian company on Audit of safety & Network security] Site of Research: http://www.nsag.ru or http://www.nsag.org Product: The Bat v. 3.60.07 Site of manufacturer: www.ritlabs.com The status: 19/11/2005 - Publication is postponed. 19/11/2005 - Manufacturer is notified. 12/12/2005 - Answer of the manufacturer. 22/02/2006 - Publication of vulnerability. Original Advisory: http://www.nsag.ru/vuln/953.html Risk: Critical Description: Vulnerability exists owing to insufficient check of the size of the buffer of a variable in which it is copied data from field Subject. Influence: The malefactor is capable to execute an any code on a computer of the addressee of the letter. Exploit: If a field subject == 4038 bytes at reception of such letter there is an overflow of the buffer and Rewriting of registers EIP and EBP, that allows the malefactor to execute Any code in a context vulnerable The Bat appendices. Exemple: Subject:AAAAAAAAAAA.... 4038..... AABB A=0x41 (hex) B=0x42 (hex) Condition of a code, at the moment of overflow: New Entery point: 00420042 FE???; Unknown command // Performance of an any code!!! Condition of registers: EAX 01CCC4A4 ECX 00000000 EDX 0012FA5C EBX 02A4EB40 ESP 0012F9EC EBP 00410041 thebat.00410041 A A ESI 00000004 EDI 02A231F0 EIP 00420042 thebat.00420042 B B Decision: Download new version. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Our company is the independent auditor of the software in market IT. At present independent audit of the software becomes the standard practice and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors! www.nsag.ru ?Nemesis? © 2006 ------------------------------------ Nemesis Security Audit Group © 2006.