Re: Edvice Security Services <support () edvicesecurity com, 000701c1c5fb$c168f970$5a01010a@mic2000

["Sym Security" <symsecurity () symantec com>]

On 7 March, Edivice Security submitted the following:










       To:

                                   BugTraq

       Subject:

                                   Various Vulnerabilities in Norton

                                   Anti-Virus 2002

       Date:

                                   Mar 7 2002 6:16PM

       Author:

                                   Edvice Security Services <

                                   support () edvicesecurity com>

       Message-ID:

                                   <000701c1c5fb$c168f970$5a01010a@mic2000>


       Various Vulnerabilities in Norton Anti-Virus 2002

       ++++++++++++++++++++++++++++++++++++


       Scope

       ----------

       Edvice recently tested NAV 2002's ability to detect viruses in

       incoming

       e-mail messages. NAV 2002 includes an Email protection feature that

       scans incoming and outgoing e-mails for viruses.


       The Findings

       -----------------

       We encountered 4 vulnerabilities in NAV 2002 email protection

       feature.

       One of the vulnerabilities affects the Auto-Protect mechanism as

       well.

       The vulnerabilities allow bypassing NAV 2002 email protection.


     ______________________________________________________________________

     __________________________________________________________________snip


     Symantec Security Response Advisory


     7 March 2002

     Symantec Norton AntiVirus Email Protection Bypass


     Reference

     Edvice Security Services Ltd.


     Risk Impact

     Low


     Affected Components

     Symantec Norton AntiVirus 2002


     Overview

     Edvice Security Services Ltd. notified Symantec that Symantec Norton

     AntiVirus 2002 incoming email scanning protection could be bypassed by

     the following means:

     * Embedding malicious code in a modified MIME message.

     * The exclusion of .nch and .dbx extensions from scanning.
     * MIME header with double file names.


     Details

     Edvice Security Services Ltd. tested Symantec Norton AntiVirus 2002

     and reported the following behaviors:


     1. It is possible to bypass Norton AntiVirus 2002 Incoming Email

     Protection by injecting a NULL character into the MIME message. If the

     NULL character appears before the virus part, then Norton AntiVirus

     2002 fails to detect the virus. Embedding virus or malicious code in

     specific non-RFC compliant MIME formats in some instances causes

     Norton AntiVirus 2002 to prematurely terminate scanning, allowing

     infected emails to go undetected in the initial incoming scanning

     process.


     2. Embedding malicious code in certain non-RFC compliant MIME formats

     in some instances causes Norton AntiVirus 2002 to prematurely

     terminate scanning, allowing infected e-mails to go undetected in the

     initial incoming scanning process.


     3. There are 2 file types, .nch and .dbx, which are excluded by

     default from Norton AntiVirus 2002 scanning. An attacker can take

     either a Word macro virus or an executable file with an embedded

     virus, rename it with an .nch or a .dbx extension, and send it to a

     victim. If the victim runs Norton AntiVirus 2002, these files would be

     excluded from being scanned.  Because Windows automatically recognizes

     these files, double-clicking the file executes the infected document.


     4. Renaming a .doc or .exe file with an "excluded" extension could

     deceive Norton AntiVirus 2002 to exclude the file from being scanned.

     For example,


        Content-Type: application/msword;

                name=\"Virus.nch\" or Virus.dbx

        Content-Transfer-Encoding: base64

        Content-Disposition: attachment;

                filename=\"Virus.exe\"


     In this example, the victim will receive an .exe file and not an .nch

     file. Microsoft Outlook determines the file name using the

     Content-Disposition field while Norton AntiVirus 2002 excludes the

     file after looking at the Content-Type field. Norton AntiVirus 2002

     looks at the first "name" field while Outlook presents the filename as

     Virus.exe. An attacker can take a macro virus (for example,

     Virus.exe), rename it to Virus.nch, and send it to a potential victim.

     If the victim is using Norton AntiVirus 2002, the virus will not be

     detected by the email protection feature or by the Auto-Protect

     feature. However, double-clicking this file will cause it to execute.


     1. Symantec Response

     Symantec feels that there are some basic misunderstandings concerning

     the impact of Edvice Security's findings.  Symantec Norton AntiVirus

     products provide multiple-layered scanning to protect in these cases.

     Symantec customers are not in danger of being infected through any of

     these issues.


     Regarding the first two issues, Symantec has confirmed that although

     the initial incoming scan may be bypassed in the manner described by

     Edvice, the Symantec Norton AntiVirus AutoProtect feature protects a

     system by scanning active files for viruses, Trojan horses, and worms.

     If malicious code is hidden in such a manner as to bypass the initial

     email scan, the malicious virus or code would be detected in real time

     by a scheduled or manual scan if the file were saved on the targeted

     system. Additionally, attempts to execute the malicious code would

     cause Symantec Auto-Protect to alert.  Finally, Symantec's Script

     Blocking feature would further prevent any malicious scripts from

     running on the targeted system. That said, Symantec takes the security

     of its products very seriously.  Symantec will have an update to

     address this RFC issue available via LiveUpdate shortly.


     In the third issue, newsgroups use .nch files for caching and local

     storage while the .dbx files are the mailbox files for Microsoft

     Outlook Express.  It is true that by renaming the file type of a

     malicious file to one of the excluded file types, this will bypass the

     initial incoming email scan.  Further, by renaming a Microsoft Office

     document containing malicious code or macros to one of the excluded

     extensions, Microsoft Office will still recognize the document as a

     Microsoft document and execute it on the system.  However, when the

     malicious Microsoft document is executed the Norton AntiVirus Office

     plug-in would scan it and alert the user to any potential malicious

     activity.  A renamed file or a type other than a Microsoft document

     would not execute on the computer and, therefore, could not infect a

     user's computer.  Symantec is reviewing the exclusion feature to

     respond to this type of issue.


     The fourth issue is similar to the third.  By renaming a file

     containing malicious code to one with an excluded extension and

     delivering it in the non-RFC compliant MIME format, Norton Antivirus'

     incoming email scan could be bypassed and the malicious file saved on

     the system as a executable file or as a Microsoft Office document.

     However, if an attempt is made to execute the malicious file on the

     computer, the file will be detected by Norton AntiVirus or by the

     Norton AntiVirus Office plug-in, depending on the file type, which

     would alert the user to any potential malicious activity.  Symantec

     will have an update to address this RFC issue available via LiveUpdate

     shortly.


     Symantec recommends the following Best Practices to enhance the

     protection of your computers from unauthorized access:

     1. Keep vendor-supplied patches for all software up-to-date.

     2. Be wary of mysterious attachments and executables delivered from

     email, user groups, and so on.

     3. Do not open attachments or executables from unknown sources. Always

     err on the side of caution.

     1. Even if the sender is known, be wary of attachments if the sender

     does not explain the attachment content in the body of the email. You

     do not know the source of the attachment.

     2. If in doubt, contact the sender before opening the attachment. If

     still in doubt, delete the attachment without opening it.


     Credit

     Symantec takes the security and proper functionality of its products

     very seriously. Symantec appreciates the coordination of Mickey

     Boodaei and Edvice Security Services Ltd. in identifying and providing

     technical details of potential areas of concern so it can quickly

     address the issue. Anyone with information on security issues with

     Symantec products should contact symsecurity () symantec com.


     Copyright (c) 2002 by Symantec Corp.

     Permission to redistribute this Advisory electronically is granted as

     long as it is not edited in any way unless authorized by Symantec

     Security Response. Reprinting the whole or part of this Advisory in a

     medium other than electronically requires permission from

     symsecurity () symantec com.


     Disclaimer:

     The information in the advisory is believed to be accurate at the time

     of printing based on currently available information. Use of the

     information constitutes acceptance for use in an AS IS condition.

     There are no warranties with regard to this information. Neither the

     author nor the publisher accepts any liability for any direct,

     indirect or consequential loss or damage arising from use of, or

     reliance on this information.


     Symantec, Symantec Security Response, Symantec product names and Sym

     Security are Registered Trademarks of Symantec Corp. and/or affiliated

     companies in the United States and other countries. All other

     registered and unregistered trademarks represented in this document

     are the sole property of their respective companies/owners.