On 11 Septmember 2002, Berend-Jan Wever posted: Ref: http://online.securityfocus.com/archive/1/291358/2002-09-08/2002-09-14/0 Product: Norton AntiVirus 2001 version 7.07.23D (fully patched with LifeUpdate) POPROXY.EXE version 7.7.7.23 Platform: Microsoft Windows Vendors: Symantec (http://www.symantec.com) Symantec has not been informed; I'm hoping they read bugtraq. Severity: Low: Local DoS Release Date: September 11, 2002 Author: Berend-Jan Wever <SkyLinedat_private> http://spoor12.edup.tudelft.nl --[NORMAL SITUATION]------------------------------------------------- NAV2001 uses a POP3 proxy to check incoming messages for virusses called POPROXY.EXE. POPROXY performs a man-in-the-middle function, checking messages before they are send to the client. NAV2001 can automatically configure email clients to login to "pop3.norton.antivirus" (which points to 127.0.0.1) with a username consisting of "username/server". This is how POPROXY knows which server to logon to and which username to use. Email Client -> username="user/POP3SERVER" -> POPROXY POPROXY -> username="user" -> POP3 SERVER --[DESCRIPTION OF ABUSE]--------------------------------------------- -------------------------------snip-------------------------------------------------------------------------------------- Symantec Norton AntiVirus 2001 POP3 Proxy Local DoS Reference SecurityFocus BugTraq ID 5692, Norton AntiVirus 2001 POP proxy Username Local Denial of Service Vulnerability Risk Impact Low Affected Components Symantec Norton AntiVirus 2001 only Symantec Response The exploit found by Mr. Jan-Weaver is a local exploit only and is a self-directed denial-of-service impacting only the system upon which the targeted version of Symantec Norton AntiVirus 2001 runs. Because POPROXY only accepts requests from the localhost adapter, there is no chance of being able to exploit this issue remotely. However, Symantec takes any security issues with our products, no matter how slight, seriously so we reviewed this problem thoroughly. Symantec Norton AntiVirus versions 2002 and later as well as Symantec's Corporate and Enterprise AntiVirus scanners are not susceptible to any attacks of this nature. This is a very low-risk, local-only DoS issue with Symantec Norton AntiVirus 2001 only that is remedied in follow-on releases. Symantec further recommends the following best practices to enhance the protection of your computers from unauthorized access: 1. Keep vendor-supplied patches for all software up-to-date. 2. Run the latest versions of all software if possible. 3. Be wary of mysterious attachments and executables delivered from email, user groups, and so on. 4. Do not open attachments or executables from unknown sources. Always err on the side of caution. 5. Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment. 6. If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it. Credit Symantec takes the security and proper functionality of its products very seriously. Symantec appreciates the identification of potential areas of concern so it can quickly address the issue. Anyone with information on security issues with Symantec products should contact symsecurityat_private for proper coordination and rapid response to security issues. Disclaimer The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec product names and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
This archive was generated by hypermail 2b30 : Thu Sep 19 2002 - 11:10:40 PDT