Vulnerability Development mailing list archives

Re: Norton AntiVirus 2000 POProxy.exe

From: frantzen () EXPERT CC PURDUE EDU (Mike Frantzen)
Date: Wed, 1 Dec 1999 23:22:24 -0500

Good evening!


Not after the test I just had ;)

I just stumbled upon a 'feature' of Norton AntiVirus 2000 that seems like
a bad idea.  I have not seen it discussed elsewhere; my apologies if it is
old news.
The problem with this is that port 110 is left open to the world.  At
best, there has to be a denial of service attack there somewhere.  I can
pick up POP mail through your box from anywhere I want, just by using the
login 'username/pop3.server.com'.  I eat your bandwidth at the very least,
and it may be possible to fill your drives and bog your CPU if Norton
waits for the whole message before scanning and forwarding.


Another interesting implication would be to use it to bounce port scans.
At the worst you could bounce scanning for pop3 servers.  If enough
information is passed through by the proxy, you could identify the remote
end (or possibly get some shell code bounced through the proxy).

If the proxy supports
        USER name/pop3.server.com:port
You could do some much wider port scans.

You may be able to do a
        USER name/localhost
to cause a land style attack ;)

or maybe a
        USER name/localhost:31337
to trip Back Officer Friendly (does it listen on TCP?)

Back to watching an OpenBSD box install....  Whirrrrrrr

later,
.mike

Current thread:

Re: PHP Darkcyde (Dec 01)
- Re: PHP Jon Parise (Dec 01)
  - Re: PHP James Phillips (Dec 02)
- Re: PHP Stuart Henderson (Dec 01)
- Norton AntiVirus 2000 POProxy.exe Craig Bernstein (Dec 01)
  - Re: Norton AntiVirus 2000 POProxy.exe Mike Frantzen (Dec 01)
- <Possible follow-ups>
- Re: PHP Matt Storey (Dec 01)
  - Re: PHP Seth R Arnold (Dec 01)
- Re: PHP Rodrick Brown <System Administrator> (Dec 01)