Subject: [w00giving #11] Norton Antivirus' POProxy

w00w00 Security Development
http://www.w00w00.org/advisories.html

--------------------------------------------------------------------------
Discovered by: Nicholas Brawn (ncb@attrition.org)

POProxy is the program used by Norton Antivirus to proxy POP3 mail 
collection, in order to identify hostile code (viruses, trojans, etc) 
before it reaches the system.  The POProxy program listens on all
configured network interfaces on TCP port 110. 

The POProxy program crashes (stack/instruction pointer overwritten) when
265+ characters are sent as the parameter to the "USER" command.  This
affects Win 98/NT/2000 and allows a remote user to execute arbitrary code.

Note: when tested against POProxy on NT 4.0, this caused the Doctor Watson
process to send CPU utilisation to 100%. 

--------------------------------------------------------------------------
Exploit:

--------------------------------------------------------------------------
Patch:

Until Norton AV releases an official patch, we provide the following work
around:

It is recommended that you disable "Email Protection" in Norton Antivirus,
until a workaround or patch is made available by the vendor.

To disable email protection go to:
Start->Programs->Norton AntiVirus->Norton AntiVirus 2000
(or whatever it's installed on)

Click on "Options", and under Email Protection, uncheck to Enable Email
Protection box.

If disabling email protection is not an acceptable option, you may choose to
implement a third-party firewalling product to disallow unauthorized
connections to TCP port 110. Check out http://www.networkice.com.

--------------------------------------------------------------------------
Contributors to w00giving: eEye Digital Security and Underground Security
Systems Research (USSR)

w00friends:
http://www.attrition.org
http://www.eEye.com
http://www.ussrback.com