Advisory:
NSAG-¹198-23.02.2006
Research:
NSA Group [Russian company on Audit of safety & Network security]
Site of Research:
http://www.nsag.ru or http://www.nsag.org
Product:
The Bat v. 3.60.07
Site of manufacturer:
www.ritlabs.com
The status:
19/11/2005 - Publication is postponed.
19/11/2005 - Manufacturer is notified.
12/12/2005 - Answer of the manufacturer.
22/02/2006 - Publication of vulnerability.
Original Advisory:
http://www.nsag.ru/vuln/953.html
Risk:
Critical
Description:
Vulnerability exists owing to insufficient check of the size of the buffer of a variable
in which it is copied data from field Subject.
Influence:
The malefactor is capable to execute an any code on a computer of the addressee of the letter.
Exploit:
If a field subject == 4038 bytes at reception of such letter there is an overflow of the buffer and
Rewriting of registers EIP and EBP, that allows the malefactor to execute
Any code in a context vulnerable The Bat appendices.
Exemple:
Subject:AAAAAAAAAAA.... 4038..... AABB
A=0x41 (hex)
B=0x42 (hex)
Condition of a code, at the moment of overflow:
New Entery point:
00420042 FE???; Unknown command // Performance of an any code!!!
Condition of registers:
EAX 01CCC4A4
ECX 00000000
EDX 0012FA5C
EBX 02A4EB40
ESP 0012F9EC
EBP 00410041 thebat.00410041
A A
ESI 00000004
EDI 02A231F0
EIP 00420042 thebat.00420042
B B
Decision:
Download new version.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!
www.nsag.ru
?Nemesis? © 2006
------------------------------------
Nemesis Security Audit Group © 2006.