COMMAND

    POProxy (Norton Antivirus 2000)

SYSTEMS AFFECTED

    Windows 95/98/NT/2000

PROBLEM

    Matt Conover posted following.  This was going to be w00giving #11
    Anyway, this allows EIP to  be overwritten with 265+ bytes,  which
    person who found  this vulnerability failed  to mention or  failed
    to notice.   It's unclear  if he  labeled it  as a  DoS because he
    didn't  realize  it  overwrote  EIP  or  because  he was unable to
    produce an exploit.  Author is Nicholas Brawn.

    POProxy is the program used by Norton Antivirus to proxy POP3 mail
    collection, in order to  identify hostile code (viruses,  trojans,
    etc) before it reaches the  system.  By default Norton  Antivirus'
    POP3 scanning supports Qualcomm Eudora and Microsoft Outlook  mail
    clients.  Other mail client software may be configured to use  the
    "Email  Protection"  feature  of  Norton  Antivirus.   The POProxy
    program listens on all  configured network interfaces on  TCP port
    110.

    The  POProxy  program  crashes  (stack/EIP  overwritten) when 265+
    characters  are  sent  as  the  parameter  to  the "USER" command.
    Note:  When  tested  against  POProxy  on  NT 4.0, this caused the
    Doctor  Watson  process  to  send  CPU  utilisation  to 100%.  The
    vulnerability  may  be  exploited  to  execute arbitrary code on a
    vulnerable system.

SOLUTION

    It is recommended  that you disable  "Email Protection" in  Norton
    Antivirus, until a  workaround or patch  is made available  by the
    vendor.  To disable email protection go to:

        Start->Programs->Norton AntiVirus->Norton AntiVirus 2000

    Click on "Options", and under Email Protection, uncheck to  Enable
    Email Protection  box.   If disabling  email protection  is not an
    acceptable  option,  you  may  choose  to  implement a third-party
    firewalling product  to disallow  unauthorised connections  to TCP
    port 110. Checkout

        http://www.networkice.com

    If you remove the email client protection in the configuration  of
    NAV 2000 it stops the POP server.