NAV 2002: various vulnerabilities found

Discussion in 'other anti-virus software' started by Paul Wilders, Mar 13, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Summary

    Edvice recently tested NAV 2002's ability to detect viruses in incoming e-mail messages. NAV 2002 includes an Email protection feature that scans incoming and outgoing e-mails for viruses.
    Edvice encountered 4 vulnerabilities in NAV 2002 email protection feature; one of the vulnerabilities affects the Auto-Protect mechanism as well.
    The vulnerabilities allow bypassing NAV 2002 email protection.


    Details

    The following security vulnerabilities were found:

    1) It is possible to bypass NAV 2002 Incoming Email Protection by injecting a NULL character into the MIME message. If the NULL character appears before the virus part, then NAV 2002 fails to detect the virus.

    2) Embedding virus or malicious code in certain non-RFC compliant MIME formats in some instances causes Norton AntiVirus 2002 to prematurely terminate scanning, allowing infected e-mails to go undetected in the initial incoming scanning process.

    3) Two file types, .nch and .dbx, are excluded by default from Norton AntiVirus 2002 scanning. An attacker can take a Word macro virus, rename it with an .nch or a .dbx extension, and send it to a victim. If the victim runs Norton AntiVirus 2002, these files would be excluded from being scanned. Because Windows automatically recognizes Microsoft Office files, double-clicking the file executes the infected document.

    4) By providing Different file names in the Content-Type and Content-Disposition fields it is possible to deceive Norton AntiVirus 2002 to exclude the file from being scanned. Oulook will determine the file's name using the Content-Disposition filename field while Norton Anti-Virus 2002 will look at the Content-Type name field and exclude the file from being scanned.

    ------

    source: securiteam.com
     
Thread Status:
Not open for further replies.