Bugtraq mailing list archives
Norton Email Protection Remote Overflow (Addendum)
From: shok () CANNABIS DATAFORCE NET (Matt Conover)
Date: Mon, 20 Dec 1999 18:08:44 +0300
This was going to be w00giving #11 (w00giving #10 will be posted within the next few days). Anyway, this allows EIP to be overwritten with 265+ bytes, which person who posted this vulnerability failed to mention or failed to notice. It's unclear if he labeled it as a DoS because he didn't realize it overwrote EIP or because he was unable to produce an exploit. We have not had a chance to write an exploit and we will also try to do that within the next few days. w00w00 Security Development Title: Buffer Overflow in POProxy (Norton Antivirus 2000) Platforms: Windows 95/98/NT/2000 Date: 11th December, 1999 Last Updated: n/a Vendor Notified: n/a Author: Nicholas Brawn <ncb () attrition org> 1. Background POProxy is the program used by Norton Antivirus to proxy POP3 mail collection, in order to identify hostile code (viruses, trojans, etc) before it reaches the system. By default Norton Antivirus' POP3 scanning supports Qualcomm Eudora and Microsoft Outlook mail clients. Other mail client software may be configured to use the "Email Protection" feature of Norton Antivirus. The POProxy program listens on all configured network interfaces on TCP port 110. 2. Description The POProxy program crashes (stack/EIP overwritten) when 265+ characters are sent as the parameter to the "USER" command. Note: When tested against POProxy on NT 4.0, this caused the Doctor Watson process to send CPU utilisation to 100%. 3. Impact The vulnerability may be exploited to execute arbitrary code on a vulnerable system. 4. Recommendation It is recommended that you disable "Email Protection" in Norton Antivirus, until a workaround or patch is made available by the vendor. To disable email protection go to: Start->Programs->Norton AntiVirus->Norton AntiVirus 2000 Click on "Options", and under Email Protection, uncheck to Enable Email Protection box. If disabling email protection is not an acceptable option, you may choose to implement a third-party firewalling product to disallow unauthorised connections to TCP port 110. Checkout http://www.networkice.com. 5. References - Norton Antivirus 2000: http://www.symantec.com/nav/nav_9xnt/ - w00w00 Security Development: http://www.w00w00.org/
Current thread:
- Groupewise Web Interface, (continued)
- Groupewise Web Interface Sacha Faust Bourque (Dec 19)
- Re: Groupewise Web Interface Raymond Dijkxhoorn (Dec 20)
- Re: Groupewise Web Interface Bayard G. Bell (Dec 21)
- Announcement: Solaris loadable kernel module backdoor plasmoid (Dec 20)
- Re: Announcement: Solaris loadable kernel module backdoor pedward () WEBCOM COM (Dec 21)
- Re: Announcement: Solaris loadable kernel module backdoor Marc Esipovich (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Steven Alexander (Dec 23)
- Re: Announcement: Solaris loadable kernel module backdoor Rainer Link (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Keith Owens (Dec 22)
- Re: Groupewise Web Interface satherrl () MAILPOINT DSSRG CURTIN EDU AU (Dec 21)
- Norton Email Protection Remote Overflow (Addendum) Matt Conover (Dec 20)
- procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
- Re: procmail / Sendmail - five bugs Rob Jones (Dec 20)
- Re: procmail / Sendmail - five bugs Michal Zalewski (Dec 22)
- FTPPro insecuities The Wall (Dec 27)
- serious Lotus Domino HTTP denial of service Alain Thivillon (Dec 21)
- More details on the WU-FTPD configuration vulnerability. suid (Dec 21)
- Microsoft Security Bulletin (MS99-058) Aleph One (Dec 21)
- Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
- More Netscape Passwords Available. Rob Jones (Dec 21)
- UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)