Norton AntiSpam Remote Buffer Overrun (#NISR19042004a)

From: NGSSoftware Insight Security Research (nisr_at_NEXTGENSS.COM)
Date: 03/19/04

  • Next message: J. Merrill: "Re: Windows Update Error 0x800C0008 after updating the WU client"
    Date:         Fri, 19 Mar 2004 14:09:55 -0000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Norton AntiSpam Remote Buffer Overrun
    Systems Affected: Windows XP (not confirmed on 2000)
    Severity: High
    Vendor URL: http://www.symantec.com
    Author: Mark Litchfield [ mark@ngssoftware.com ]
    Date Vendor Notified: 4th March 2004
    Date of Public Advisory: 19th March 2004
    Advisory number: #NISR19042004a
    Advisory URL: http://www.ngssoftware.com/advisories/antispam.txt

    Description
    ***********

    Symantec's Norton AntiSpamT 2004 filters unwanted email out of your inbox.
    Working with any POP3 email program, it filters incoming mail on multiple
    levels, detecting and flagging unsolicited messages while promptly
    delivering valid mail. To make your online time more enjoyable, Norton
    AntiSpam also blocks intrusive pop-up and banner ads.
    It is worth mentioning here, that Norton AntiSpamT is also packaged within
    Norton Internet Security 2004 and Norton Internet Security 2004
    Professional.

    Details
    *******

    Installed with Norton AntiSpam is an ActiveX component that is marked safe
    for scripting, namely SymSpamHelper Class (c:\program files\common
    files\symantec shared\antispam\symspam.dll).
    Using the method LaunchCustomRuleWizard with an overly long parameter, an
    attacker can cause a stack based overflow allowing the ability to remotley
    run arbitrary code on the target. This can be achieved either by
    encouraging the 'victim' to visit a malicious web page or placing a script
    within the content of an (html) email.

    Fix Information
    ***************

    Shipped with all Symantecs products is the LiveUpdate feature. Open Norton
    AntiSpam or Norton Internet Security / Professional and select the
    LiveUpdate feature which will retrieve the lastest patch. Also worth
    mentioning is Symantec's quick response to this issue in ensuring their
    clients remain protected.

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: J. Merrill: "Re: Windows Update Error 0x800C0008 after updating the WU client"

    Relevant Pages