Norton AntiVirus 2001 POP3 Proxy local DoS

From: Berend-Jan Wever (skylinedat_private)
Date: Wed Sep 11 2002 - 04:05:45 PDT

Next message: Berend-Jan Wever: "Re: Small bug crashes OE"

Previous message: Auriemma Luigi: "Some unpatched vulnerabilities fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Product:               Norton AntiVirus 2001 version 7.07.23D (fully patched
with LifeUpdate)
                       POPROXY.EXE version 7.7.7.23
Platform:              Microsoft Windows
Vendors:               Symantec (http://www.symantec.com)
                       Symantec has not been informed; I'm hoping they read
bugtraq.
Severity:              Low: Local DoS
Release Date:          September 11, 2002
Author:                Berend-Jan Wever <SkyLinedat_private>
                       http://spoor12.edup.tudelft.nl

--[NORMAL SITUATION]-------------------------------------------------
NAV2001 uses a POP3 proxy to check incoming messages for virusses called
POPROXY.EXE. POPROXY performs a man-in-the-middle function, checking
messages before they are send to the client. NAV2001 can automatically
configure email clients to login to "pop3.norton.antivirus" (which points to
127.0.0.1) with a username consisting of "username/server". This is how
POPROXY knows which server to logon to and which username to use.

Email Client  -> username="user/POP3SERVER"           -> POPROXY
POPROXY       -> username="user"                      -> POP3 SERVER

--[DESCRIPTION OF ABUSE]---------------------------------------------
The username you  supply to POPROXY can contain multiple slashes ("/") but
only the last one is used as a seperator. This suplies us a way to loop
POPROXYs; username = "user/POP3SERVER/localhost" will result in this:

Email Client  -> username="user/POP3SERVER/localhost" -> POPROXY(1)
POPROXY(1)    -> username="user/POP3SERVER"           -> POPROXY(2)
POPROXY(2)    -> username="user"                      -> POP3 SERVER

By opening multiple connections and/or adding a lot of "/localhost"s to the
username, POPROXY can be kept busy using 100% cpu for a long time, consuming
over 57K of memory for every "/localhost" provided.
If you open enough connections with a big enough username (tested: 2x22K,
3x8K, 5x4k,...) it will finally crash with an exception, probably because it
runs out of memory and a pointer returns 0.

--[IMPLICATIONS]-----------------------------------------------------
POPROXY only accepts local connections so this is will not be remote
exploitable easily. POPROXY will return to normal operation if no exception
occurs. If one does, POPROXY dies and users on the machine will not be able
to check their email untill POPROXY.EXE is manually restarted (NAV2001 is
not able to restart this!) or the computer is rebooted.

--[DISCUSSION]-------------------------------------------------------
Using IP spoofing, POPROXY might be fooled to accept remote data making this
a remote attack.
Also I have not checked if the exception is exploitable, I'm not that good
at exploiting yet.

(btw Symantec: the "origional file name" field for POPROXY.EXE =
POPROXY.DLL??)

Next message: Berend-Jan Wever: "Re: Small bug crashes OE"
Previous message: Auriemma Luigi: "Some unpatched vulnerabilities fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 12:45:08 PDT