Vulnerability Development mailing list archives
Norton AntiVirus 2000 POProxy.exe
From: craigb () BEST COM (Craig Bernstein)
Date: Wed, 1 Dec 1999 18:55:34 -0800
Good evening! I just stumbled upon a 'feature' of Norton AntiVirus 2000 that seems like a bad idea. I have not seen it discussed elsewhere; my apologies if it is old news. When you use the 'email protection' feature of this application, it starts a POP3 proxy and changes your mail client's settings to connect to port 110 via loopback. From there, NAV 2000 goes out and grabs your mail, scans it (I guess), and feeds it back to the mail client. The problem with this is that port 110 is left open to the world. At best, there has to be a denial of service attack there somewhere. I can pick up POP mail through your box from anywhere I want, just by using the login 'username/pop3.server.com'. I eat your bandwidth at the very least, and it may be possible to fill your drives and bog your CPU if Norton waits for the whole message before scanning and forwarding. At worst, there could be a buffer overflow or other condition that could be exploited to crash or gain access to the box remotely. A quick check of a few cablemodem IP blocks finds quite a few machines with this feature enabled and the POP proxy wide open. Am I just being paranoid, or is this a sloppy implementation waiting to be exploited somehow? It seems like it would not have been that hard to get the proxy to only accept connections from localhost... -- ...Craig Bernstein
Current thread:
- Re: PHP Darkcyde (Dec 01)
- Re: PHP Jon Parise (Dec 01)
- Re: PHP James Phillips (Dec 02)
- Re: PHP Stuart Henderson (Dec 01)
- Norton AntiVirus 2000 POProxy.exe Craig Bernstein (Dec 01)
- Re: Norton AntiVirus 2000 POProxy.exe Mike Frantzen (Dec 01)
- Re: PHP Jon Parise (Dec 01)