NAV 2001 DoS Vulnerability

Naviga SWZ: Home Page » News
News del 12 Settembre 02 Autore: Eymerich
Nonostante sia ormai disponibile la versione 2003 sono ancora molti gli utenti della versione 2001 di Norton AntiVirus.Ad essi è diretta la notizia di una vulnerabilità identificata nel POPROXY,ovvero la funzionalità che si occupa di filtrare le email.In particolari condizioni può causare il crash del sistema. Descrizione : Product: Norton AntiVirus 2001 version 7.07.23D (fully patched with LiveUpdate) POPROXY.EXE version Platform: Microsoft Windows Severity: Low: Local DoS Release Date: September 11, 2002 --[NORMAL SITUATION]------------------ NAV2001 uses a POP3 proxy to check incoming messages for virusses called POPROXY.EXE. POPROXY performs a man-in-the-middle function, checking messages before they are send to the client. NAV2001 can automatically configure email clients to login to "" (which points to with a username consisting of "username/server". This is how POPROXY knows which server to logon to and which username to use. Email Client -> username="user/POP3SERVER" -> POPROXY POPROXY -> username="user" -> POP3 SERVER --[DESCRIPTION OF ABUSE]------------------ The username you supply to POPROXY can contain multiple slashes ("/") but only the last one is used as a seperator. This suplies us a way to loop POPROXYs; username = "user/POP3SERVER/localhost" will result in this: Email Client -> username="user/POP3SERVER/localhost" -> POPROXY(1) POPROXY(1) -> username="user/POP3SERVER" -> POPROXY(2) POPROXY(2) -> username="user" -> POP3 SERVER By opening multiple connections and/or adding a lot of "/localhost"s to the username, POPROXY can be kept busy using 100% cpu for a long time, consuming over 57K of memory for every "/localhost" provided. If you open enough connections with a big enough username (tested: 2x22K, 3x8K, 5x4k,...) it will finally crash with an exception, probably because it runs out of memory and a pointer returns 0. --[IMPLICATIONS]------------------------- POPROXY only accepts local connections so this is will not be remote exploitable easily. POPROXY will return to normal operation if no exception occurs. If one does, POPROXY dies and users on the machine will not be able to check their email untill POPROXY.EXE is manually restarted (NAV2001 is not able to restart this!) or the computer is rebooted. --[DISCUSSION]---------------------------- Using IP spoofing, POPROXY might be fooled to accept remote data making this a remote attack. Also I have not checked if the exception is exploitable, I'm not that good at exploiting yet. Autore : Berend-Jan Wever
Inserisci un commento sul forum Commenta la News sul Forum


Categoria: Sicurezza

La Community di

La community con le risposte che cerchi ! Partecipa é gratis !
Iscrizione ForumIscriviti al Forum


Vuoi ricevere tutti gli aggiornamenti di SWZone direttamente via mail ?
Iscrizione NewsletterIscriviti alla Newsletter