NAV 2000 Buffer Overflow
Reported December 22, 1999 by Nicholas Brawn
VERSIONS AFFECTED Norton Antivirus 2000 DESCRIPTION
A problem with Norton Antivirus 2000 allows the EIP register to be overwritten with 265+ bytes.
POProxy is the program used by Norton Antivirus to proxy POP3 mail
collection, in order to identify hostile code (viruses, trojans, etc) before it reaches the system.
By default Norton Antivirus" POP3 scanning supports Qualcomm Eudora and Microsoft Outlook mail clients. Other mail client software may be configured to use the "Email Protection" feature of Norton Antivirus.
The POProxy program listens on all configured network interfaces on TCP port 110.
The POProxy program crashes (stack/EIP overwritten) when 265+ characters are sent as the parameter to the "USER" command.
Note: When tested against POProxy on NT 4.0, this caused the Doctor Watson process to send CPU utilisation to 100%.
The vulnerability may be exploited to execute arbitrary code on a vulnerable system.
Suggested by the discover and not necessarily endorsed by this site:
It is recommended that you disable "Email Protection" in Norton Antivirus, until a workaround or patch is made available by the vendor.
To disable email protection go to:
Start->Programs->Norton AntiVirus->Norton AntiVirus 2000
Click on "Options", and under Email Protection, uncheck to Enable Email Protection box.
If disabling email protection is not an acceptable option, you may choose to implement a third-party firewalling product to disallow unauthorised connections to TCP port 110. Checkout http://www.networkice.com.
Unknown at the time of this writing.
Discovered by Nicholas Brawn