Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

http://online.securityfocus.com/archive/1/291358/2002-09-08/2002-09-14/0, Subj: Norton AintiVirus 2001 POPROXY DoS

From: "Sym Security" <symsecurity () symantec com>
Date: Thu, 19 Sep 2002 12:49:48 -0500

On 11 Septmember 2002, Berend-Jan Wever posted:

Ref:
http://online.securityfocus.com/archive/1/291358/2002-09-08/2002-09-14/0

Product:               Norton AntiVirus 2001 version 7.07.23D (fully
patched
with LifeUpdate)
                       POPROXY.EXE version 7.7.7.23
Platform:              Microsoft Windows
Vendors:               Symantec (http://www.symantec.com)
                       Symantec has not been informed; I'm hoping they read
bugtraq.
Severity:              Low: Local DoS
Release Date:          September 11, 2002
Author:                Berend-Jan Wever <SkyLined () edup tudelft nl>
                       http://spoor12.edup.tudelft.nl

--[NORMAL SITUATION]-------------------------------------------------
NAV2001 uses a POP3 proxy to check incoming messages for virusses called
POPROXY.EXE. POPROXY performs a man-in-the-middle function, checking
messages before they are send to the client. NAV2001 can automatically
configure email clients to login to "pop3.norton.antivirus" (which points
to
127.0.0.1) with a username consisting of "username/server". This is how
POPROXY knows which server to logon to and which username to use.

Email Client  -> username="user/POP3SERVER"           -> POPROXY
POPROXY       -> username="user"                      -> POP3 SERVER

--[DESCRIPTION OF ABUSE]---------------------------------------------
-------------------------------snip--------------------------------------------------------------------------------------




Symantec Norton AntiVirus 2001 POP3 Proxy Local DoS

Reference
SecurityFocus BugTraq ID 5692, Norton AntiVirus 2001 POP proxy Username
Local Denial of Service Vulnerability

Risk Impact
Low

Affected Components
Symantec Norton AntiVirus 2001 only


Symantec Response

The exploit found by Mr. Jan-Weaver is a local exploit only and is a
self-directed denial-of-service impacting only the system upon
which the targeted version of Symantec Norton AntiVirus 2001 runs.  Because
POPROXY only accepts requests from the localhost adapter,
there is no chance of being able to exploit this issue remotely.

However, Symantec takes any security issues with our products, no matter
how slight, seriously so we reviewed this problem thoroughly.
Symantec Norton AntiVirus versions 2002 and later as well as Symantec's
Corporate and Enterprise AntiVirus scanners are not susceptible
to any attacks of this nature.

This is a very low-risk, local-only DoS issue with Symantec Norton
AntiVirus 2001 only that is remedied in follow-on releases.

Symantec further recommends the following best practices to enhance the
protection of your computers from unauthorized access:

1.    Keep vendor-supplied patches for all software up-to-date.
2.    Run the latest versions of all software if possible.
3.    Be wary of mysterious attachments and executables delivered from
email, user groups, and so on.
4.    Do not open attachments or executables from unknown sources. Always
err on the side of caution.
5.    Even if the sender is known, be wary of attachments if the sender
does not explain the attachment content in the body of the

      email. You do not know the source of the attachment.
6.    If in doubt, contact the sender before opening the attachment. If
still in doubt, delete the attachment without opening it.

Credit
Symantec takes the security and proper functionality of its products very
seriously. Symantec appreciates the identification of
potential areas of concern so it can quickly address the issue. Anyone with
information on security issues with Symantec products should
contact symsecurity () symantec com for proper coordination and rapid response
to security issues.

Disclaimer
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are
no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect or
consequential loss or damage arising from use of, or reliance
on this information.
Symantec, Symantec product names and Sym Security are Registered Trademarks
of Symantec Corp. and/or affiliated companies in the United
States and other countries. All other registered and unregistered
trademarks represented in this document are the sole property of their
respective companies/owners.
Previous By Date Next
Previous By Thread Next

Current thread: