COMMAND
POProxy (Norton Antivirus 2000)
SYSTEMS AFFECTED
Windows 95/98/NT/2000
PROBLEM
Matt Conover posted following. This was going to be w00giving #11
Anyway, this allows EIP to be overwritten with 265+ bytes, which
person who found this vulnerability failed to mention or failed
to notice. It's unclear if he labeled it as a DoS because he
didn't realize it overwrote EIP or because he was unable to
produce an exploit. Author is Nicholas Brawn.
POProxy is the program used by Norton Antivirus to proxy POP3 mail
collection, in order to identify hostile code (viruses, trojans,
etc) before it reaches the system. By default Norton Antivirus'
POP3 scanning supports Qualcomm Eudora and Microsoft Outlook mail
clients. Other mail client software may be configured to use the
"Email Protection" feature of Norton Antivirus. The POProxy
program listens on all configured network interfaces on TCP port
110.
The POProxy program crashes (stack/EIP overwritten) when 265+
characters are sent as the parameter to the "USER" command.
Note: When tested against POProxy on NT 4.0, this caused the
Doctor Watson process to send CPU utilisation to 100%. The
vulnerability may be exploited to execute arbitrary code on a
vulnerable system.
SOLUTION
It is recommended that you disable "Email Protection" in Norton
Antivirus, until a workaround or patch is made available by the
vendor. To disable email protection go to:
Start->Programs->Norton AntiVirus->Norton AntiVirus 2000
Click on "Options", and under Email Protection, uncheck to Enable
Email Protection box. If disabling email protection is not an
acceptable option, you may choose to implement a third-party
firewalling product to disallow unauthorised connections to TCP
port 110. Checkout
http://www.networkice.com
If you remove the email client protection in the configuration of
NAV 2000 it stops the POP server.