COMMAND
Norton Antivirus
SYSTEMS AFFECTED
Norton Antivirus for Exchange 1.5
PROBLEM
Jim Rosenberg found following. Norton Antivirus for Exchange
(NavExchange), a product of Symantec, suffers from two major
problems, with impact described below. The system tested was
version 1.5. The most recent version is 2.0, which was not
tested, but based on information from Symantec it is believed 2.0
is also vulnerable to the same problems.
1. "Fail-Open" Design
=====================
When an inbound e-mail message arrives, a separate service
(NavExchange) is contacted to scan messages for viruses. Under
certain circumstances -- not entirely clear -- NavExchange will
enter a state in which it fails to properly respond. When it
enters this state, messages containing viruses will be transmitted
through to the addressed recipent(s), leaving the system
completely unprotected. Jim had at least one fairly clear case in
which it apparently entered this state as the result of the
LiveUpdate process. In other cases it is suspected it can enter
this state as the result of errors in the scanning process, e.g.
2. below.
When NavExchange has entered this "fail-open" state, an incoming
e-mail message containing a virus will leave an error message in
the Event Log. Thus the NavExchange system is not completely
"dead", and even seems somehow aware of its own failure. It is
not clear that Symantec has warned customers of the urgency of
acting on these Event Log messages, or that they are completely
unprotected when this happens. An example of such a message (as
exported by the NT Resource Kit utility DUMPEL) looks like this:
6/6/2000 4:07:42 AM 1 400 45 NavExchange N/A MAIL 80004005h Jim
Rosenberg\Inbox Automated Virus Check Message eicar_eicar.com
By contrast, a "normal" virus detection Event Log message looks
like this:
6/6/2000 5:53:17 AM 2 384 3 NavExchange N/A MAIL EICAR Test String.68
eicar_eicar.com Jim Rosenberg\Inbox Repaired
When NavExchange has entered this "fail-open" state it will
apparently stay in this state indefinitely until the service is
stopped and restarted. Once the service has been restarted, it
appears virus protection is restored.
2. Buffer Overrun in the NavExchange unzip engine
=================================================
Because an e-mail message could contain an attachment which is a
.zip file, and members of the .zip archive might contain viruses,
NavExchange includes a component for unzipping files. This
component contains a buffer overrun when the .zip attachment
contains long file names.
There's a vulnerability in Eudora concerning .zip attachments
with long file names and it's advisory. An attachment was
included to illustrate the problem. This attachment caused a
NavExchange failure, indicating that NavExchange suffers from the
same problem.
The message in question has Message-ID
<002801bfbe6c$eccd5bd0$0100a8c0@ultor> from Ultor <Ultor@HERT.ORG>, subject:
By sending this message through mail system we can, with 100%
reproduceability, cause NavExchange to fail. The vendor has
acknowledged that this attachment "will take down our
decomposers".
Impacts fall into three grades of severity:
A) Entry Mechanism for viruses
A virus "armored" inside of a .zip attachment with long file
names is virtually guaranteed to be able to slip through
NavExchange and reach the recipient. In this case the system
administrator will have an Event Log message noting the
failure, but may not realize the implications. Many NT systems
have no method of explicitly notifying the system administrator
when Event Log messages of a particular kind occur, and indeed
the whole Event Log mechanism typically requires dilligence on
the part of the system administrator to scan these logs
manually. Since such an armored e-mail message could arrive
overnight or on a weekend, there is more than sufficent time
for the message to trigger an infection before the Event Log
message is noticed.
B) A remote user may be able to disable virus protection
Jim suspects but cannot prove that mechanism 2) above may be
able to induce the fail-open state 1) described above. He
cannot actually cause this to happen.
C) A remote user may be able to compromise the security of the
mail server
Because problem 2) above is a buffer overrun, there is the
potential that a suitably designed exploit could execute code as
the Exchange user.
SOLUTION
Both of the issues listed above are fixed in NAVMSE 2.1. The
actual scanning is now handled by separate processes that can be
monitored for problems. They can be shutdown and restarted when a
problem occurs. Files that cause scan problems are considered
suspect and are moved to the quarantine.