Norton AntiVirus for Microsoft Exchange 2000 Information DisclosureVulnerability

A problem exists in Microsoft Exchange 2000 when running with Norton AntiVirus for
Microsoft Exchange. A host running this combination of software can be tricked into
disclosing mail directory paths to an attacker.

Message attachments sent to an affected host will be scanned for malicious content by
Norton AntiVirus for Microsoft Exchange. Upon rejection, the message will be bounced
back to the sender with notification of why the message was rejected. When this happens,
the path to the intended recipient's INBOX is sent in the message header of the rejection
notification. The expected behavior is that the header in the returned message will only
contain the destination address of the user and not the path of the user's INBOX.

This can be exploited by an attacker who intentionally crafts a message to a user on the host
which contains an attachment which will be rejected by the host.

Workaround:

Disable the notification feature that returns rejected messages to the sender

bugtraq id
3305
class
Design Error
cve
CVE-MAP-NOMATCH
remote
Yes
local
No
published
September 07, 2001
updated
September 07, 2001
vulnerable
Symantec Norton AntiVirus for MS Exchange 2.5
+ Microsoft Exchange Server 2000 SP1
- Microsoft Windows 2000 SP2
+ Microsoft Windows 2000
- Microsoft Windows 2000 SP1
+ Microsoft Windows 2000
- Microsoft Windows 2000
+ Microsoft Exchange Server 2000
- Microsoft Windows 2000 SP2
+ Microsoft Windows 2000
- Microsoft Windows 2000 SP1
+ Microsoft Windows 2000
- Microsoft Windows 2000