BugTraq
NSA Group Security Advisory NSAG-¹198-23.02.2006 Vulnerability The Bat v. 3.60.07 Feb 23 2006 09:37PM
NSA Group (vulnerability nsag ru)
Advisory:
NSAG-¹198-23.02.2006

Research:
NSA Group [Russian company on Audit of safety & Network security]

Site of Research:
http://www.nsag.ru or http://www.nsag.org

Product:
The Bat v. 3.60.07

Site of manufacturer:
www.ritlabs.com

The status:
19/11/2005 - Publication is postponed.
19/11/2005 - Manufacturer is notified.
12/12/2005 - Answer of the manufacturer.
22/02/2006 - Publication of vulnerability.

Original Advisory:
http://www.nsag.ru/vuln/953.html

Risk:
Critical

Description:
Vulnerability exists owing to insufficient check of the size of the buffer of a variable
in which it is copied data from field Subject.

Influence:
The malefactor is capable to execute an any code on a computer of the addressee of the letter.

Exploit:
If a field subject == 4038 bytes at reception of such letter there is an overflow of the buffer and
Rewriting of registers EIP and EBP, that allows the malefactor to execute
Any code in a context vulnerable The Bat appendices.
Exemple:

Subject:AAAAAAAAAAA.... 4038..... AABB
A=0x41 (hex)
B=0x42 (hex)

Condition of a code, at the moment of overflow:
New Entery point:
00420042 FE???; Unknown command // Performance of an any code!!!

Condition of registers:
EAX 01CCC4A4
ECX 00000000
EDX 0012FA5C
EBX 02A4EB40
ESP 0012F9EC
EBP 00410041 thebat.00410041

A A
ESI 00000004
EDI 02A231F0
EIP 00420042 thebat.00420042

B B

Decision:
Download new version.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Our company is the independent auditor of the software in market IT.
At present independent audit of the software becomes the standard practice
and we suggest to make a let out product as much as possible protected from a various sort of attacks of malefactors!

www.nsag.ru
«Nemesis» © 2006
------------------------------------
Nemesis Security Audit Group © 2006.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus