exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

norton.2000.txt

norton.2000.txt
Posted Dec 20, 1999
Authored by Nicholas Brawn

w00w00 announcment about an exploitable buffer overflow in the POProxy program shipped with Norton Antivirus 2000 for Windows 95/98/NT/2000.

tags | exploit, overflow
systems | windows
SHA-256 | 71353195c368a425177adddf5f0313879278613d3f2067468d5866251a84344a

norton.2000.txt

Change Mirror Download
This was going to be w00giving #11 (w00giving #10 will be posted within
the next few days). Anyway, this allows EIP to be overwritten with 265+
bytes, which person who posted this vulnerability failed to mention or
failed to notice. It's unclear if he labeled it as a DoS because he
didn't realize it overwrote EIP or because he was unable to produce an
exploit. We have not had a chance to write an exploit and we will also
try to do that within the next few days.

w00w00 Security Development

Title: Buffer Overflow in POProxy (Norton Antivirus 2000)
Platforms: Windows 95/98/NT/2000
Date: 11th December, 1999
Last Updated: n/a
Vendor Notified: n/a
Author: Nicholas Brawn <ncb@attrition.org>

1. Background

POProxy is the program used by Norton Antivirus to proxy POP3 mail
collection, in order to identify hostile code (viruses, trojans, etc) before
it reaches the system.

By default Norton Antivirus' POP3 scanning supports Qualcomm Eudora and
Microsoft Outlook mail clients. Other mail client software may be configured
to use the "Email Protection" feature of Norton Antivirus.

The POProxy program listens on all configured network interfaces on TCP
port 110.

2. Description

The POProxy program crashes (stack/EIP overwritten) when 265+ characters
are sent as the parameter to the "USER" command.

Note: When tested against POProxy on NT 4.0, this caused the Doctor Watson process
to send CPU utilisation to 100%.

3. Impact

The vulnerability may be exploited to execute arbitrary code on a vulnerable
system.

4. Recommendation

It is recommended that you disable "Email Protection" in Norton Antivirus,
until a workaround or patch is made available by the vendor.

To disable email protection go to:
Start->Programs->Norton AntiVirus->Norton AntiVirus 2000

Click on "Options", and under Email Protection, uncheck to Enable Email
Protection box.

If disabling email protection is not an acceptable option, you may choose to
implement a third-party firewalling product to disallow unauthorised
connections to TCP port 110. Checkout http://www.networkice.com.

5. References

- Norton Antivirus 2000: http://www.symantec.com/nav/nav_9xnt/
- w00w00 Security Development: http://www.w00w00.org/


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close