December 22, 1999
KeyLabs Tests Confirm E-mail Scanner Fears
Security Hole Pops Up In Norton AntiVirus 2000
by Bradley F. Shimmin
VIRUSES ARE SCARY, especially e-mail viruses. They strike mercilessly, without warning or recourse. However, considering a recently discovered security hole within Symantec's Norton AntiVirus 2000, it now appears that e-mail virus-scanning applications themselves can be just as scary as the viruses they seek to eradicate.
From the outside, a Norton AntiVirus 2000 equipped machine looks a lot like a POP server.
The problem is twofold. Confirmed by tests conducted at KeyLabs, a technique employed by Norton AntiVirus 2000 on Windows 95/98/NT, which can scan e-mail messages in real-time, unfortunately leaves a TCP/IP port wide open to Internet-borne attackers. What's more, the AntiVirus 2000 application left guarding the port itself is assailable and can in certain situations crash the host machine.
On paper, Norton's idea of automatic e-mail virus scanning sounds compelling. The open port used by AntiVirus 2000 houses a Post Office Protocol (POP) server, which acts as a proxy for the actual POP server. When you download an e-mail message, the proxy stands between you and the real POP server, giving AntiVirus 2000 the time and leeway it needs to scan the incoming stream for virus signatures.
Point a telnet application at port 110 and POProxy will respond with a nice greeting.
But this technique creates two potentially dangerous situations. First, it makes your computer visible on the Internet, thereby creating an open invitation to hackers. "Hackers scan a range of IP addresses," explained computer consultant, Timothy J. McNitt. "If they find a POP server, they start poking."
Second, the proxy application that runs on this port (port 110) can act as an entry point for attackers. KeyLabs testing uncovered a number of buffer overrun vulnerabilities within the proxy server (called POProxy). "By sending a string of more than 256 characters to the server from a telnet application within the USER command," stated BugNet engineer Ken Brady, "we could repeatedly crash POProxy."
More interestingly, by telling AntiVirus 2000 to temporarily suspend e-mail virus scanning, and then sending a series of telnet-borne buffer overrun statements to the proxy server on port 110, BugNet testers were able to crash the Windows 98 SE host -- though with no consistency.
The situation on Windows NT doesn't get much better. According to tests conducted both at KeyLabs and w00w00 Security Development (WSD), a buffer overrun statement sent to POProxy on a Windows NT machine will cause Dr. Watson to push CPU processor utilization to 100 percent for approximately 30 seconds before crashing POProxy.
Throwing 256 plus characters at POProxy on a Windows NT machine pushed CPU utilization through the roof.
Symantec is aware of AntiVirus 2000's behavior. "In Norton AntiVirus 2000, we do make a port available when we implement the e-mail scanner," said Marian Merritt, group product manager. "And whenever you make a port available, you open a potential security hole." However, Symantec maintains that such behavior does not warrant an action. "We do not intend to create a "patch" since the issue is one we understand and do not view as a "bug" or security flaw," Merritt continued.
According to Symantec, POProxy is a "pass-through" proxy server, which doesn't store any account information or grant any access to the local file system or to any e-mail accounts on the real POP server. If IT managers are still concerned, the company suggests that they instruct their firewalls to simply disallow all incoming POP connections. This will ensure that outsiders can't scan for open POP ports.
For users like McNitt, however, it's not just corporations that need to worry about this sort of vulnerability. Home users, who utilize static IP addresses through high-speed connections (DSL, cable modems, etc.) also need to worry about attracting the wrong kind of attention.
"If you don't have an internal network and you have file and print sharing turned off, someone from the outside can't see you, but that would all change, if you install [AntiVirus 2000's] POP proxy," he said. "I get random port scans all the time for my home computer."
If you're concerned about AntiVirus 2000's port policy, you can merely disable e-mail scanning as follows:
From your Start menu, open Norton AntiVirus 2000.
Click on the Options pull-down menu.
Remove the check mark from the Enable Email Protection checkbox.
Click OK and close Norton AntiVirus 2000.
This will close POProxy and port 110. So, if you want to scan incoming e-mail message attachments, you'll have to save them to a temporary folder and then use AntiVirus 2000 to scan those files for viruses. You'll also have to hold your breath whenever an automatic e-mail virus comes out. "If more viruses like Bubble Boy come through, which don't even require that you open the message, then you'll be at their mercy," added McNitt.
Even if you disable e-mail scanning, because you can't always predict an application's behavior, we recommend that you routinely scan your PC for open TCP/IP ports. You can easily point your browser to an online scanning service, such as Steve Gibson's Shields Up!, grc.com for example, to see which ports are open, closed, or operating in stealth mode.
Story From:
bugnet.com |
