[NT] Norton Antivirus 2001 POP3 Proxy Local DoS
From: support@securiteam.comDate: 09/12/02
- Previous message: support@securiteam.com: "[NEWS] Slashdot / Slashcode Disclosing Passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 12 Sep 2002 08:16:45 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Norton Antivirus 2001 POP3 Proxy Local DoS
------------------------------------------------------------------------
SUMMARY
Norton Antivirus 2001 POP3 Proxy has been found to be vulnerable a locally
exploitable denial of service attack. The attack allows an attacker to
cause the product to no longer respond to legitimate requests, effectively
rendering the product useless.
DETAILS
Vulnerable systems:
* Norton Antivirus 2001 version 7.07.23D (fully patched with LiveUpdate),
POPROXY.EXE version 7.7.7.23
NAV2001 uses a POP3 proxy to check incoming messages for virusses called
POPROXY.EXE. POPROXY performs a man-in-the-middle function, checking
messages before they are sent to the client. NAV2001 can automatically
configure email clients to login to "pop3.norton.antivirus" (which points
to 127.0.0.1) with a username consisting of "username/server". This is how
POPROXY knows which server to logon to and which username to use.
Email Client -> username="user/POP3SERVER" -> POPROXY
POPROXY -> username="user" -> POP3 SERVER
The username you supply to POPROXY can contain multiple slashes ("/") but
only the last one is used as a separator. This supplies us a way to loop
POPROXYs; username = "user/POP3SERVER/localhost" will result in this:
Email Client -> username="user/POP3SERVER/localhost" -> POPROXY(1)
POPROXY(1) -> username="user/POP3SERVER" -> POPROXY(2)
POPROXY(2) -> username="user" -> POP3 SERVER
By opening multiple connections and/or adding a lot of "/localhost"s to
the username, POPROXY can be kept busy using 100% CPU for a long time,
consuming over 57K of memory for every "/localhost" provided. If you open
enough connections with a big enough username (tested: 2x22K, 3x8K,
5x4k,...) it will finally crash with an exception, probably because it
runs out of memory and a pointer returns 0.
Implications:
POPROXY only accepts local connections so this is will not be remote
exploitable easily. POPROXY will return to normal operation if no
exception occurs. If one does, POPROXY dies and users on the machine will
not be able to check their email until POPROXY.EXE is manually restarted
(NAV2001 is not able to restart this!) or the computer is rebooted.
ADDITIONAL INFORMATION
The information has been provided by <mailto:SkyLined@edup.tudelft.nl>
Berend-Jan Wever.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Slashdot / Slashcode Disclosing Passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
