NAV 2000 Buffer Overflow

Reported December 22, 1999 by
Nicholas Brawn
VERSIONS AFFECTED
Norton Antivirus 2000

DESCRIPTION

A problem with Norton Antivirus 2000 allows the EIP register to be overwritten with 265+ bytes.

1. Background

POProxy is the program used by Norton Antivirus to proxy POP3 mail
collection, in order to identify hostile code (viruses, trojans, etc) before it reaches the system.

By default Norton Antivirus" POP3 scanning supports Qualcomm Eudora and Microsoft Outlook mail clients. Other mail client software may be configured to use the "Email Protection" feature of Norton Antivirus.

The POProxy program listens on all configured network interfaces on TCP port 110.

2. Description

The POProxy program crashes (stack/EIP overwritten) when 265+ characters are sent as the parameter to the "USER" command.

Note: When tested against POProxy on NT 4.0, this caused the Doctor Watson process to send CPU utilisation to 100%.

3. Impact

The vulnerability may be exploited to execute arbitrary code on a vulnerable system.

DEFENSE

Suggested by the discover and not necessarily endorsed by this site:

It is recommended that you disable "Email Protection" in Norton Antivirus, until a workaround or patch is made available by the vendor.

To disable email protection go to:
Start->Programs->Norton AntiVirus->Norton AntiVirus 2000

Click on "Options", and under Email Protection, uncheck to Enable Email Protection box.

If disabling email protection is not an acceptable option, you may choose to implement a third-party firewalling product to disallow unauthorised connections to TCP port 110. Checkout http://www.networkice.com.

VENDOR RESPONSE

Unknown at the time of this writing.

CREDITS
Discovered by
Nicholas Brawn