Norton AntiVirus 2000 POProxy.exe

[craigb () BEST COM (Craig Bernstein)]

Good evening!

I just stumbled upon a 'feature' of Norton AntiVirus 2000 that seems like
a bad idea.  I have not seen it discussed elsewhere; my apologies if it is
old news.

When you use the 'email protection' feature of this application, it starts
a POP3 proxy and changes your mail client's settings to connect to port
110 via loopback.  From there, NAV 2000 goes out and grabs your mail,
scans it (I guess), and feeds it back to the mail client.

The problem with this is that port 110 is left open to the world.  At
best, there has to be a denial of service attack there somewhere.  I can
pick up POP mail through your box from anywhere I want, just by using the
login 'username/pop3.server.com'.  I eat your bandwidth at the very least,
and it may be possible to fill your drives and bog your CPU if Norton
waits for the whole message before scanning and forwarding.

At worst, there could be a buffer overflow or other condition that could
be exploited to crash or gain access to the box remotely.  A quick check
of a few cablemodem IP blocks finds quite a few machines with this feature
enabled and the POP proxy wide open.

Am I just being paranoid, or is this a sloppy implementation waiting to be
exploited somehow?  It seems like it would not have been that hard to get
the proxy to only accept connections from localhost...

--
...Craig Bernstein