[25078] in bugtraq
Norton Personal Firewall 2002 vulnerable to SYN/FIN scan
daemon@ATHENA.MIT.EDU (Alfonso Fiore)
Tue Apr 16 18:38:28 2002
Message-ID: <20020416183110.22491.qmail@earth-sky-water-fire.org>
From: "Alfonso Fiore" <afiore@secure-edge.com>
To: bugtraq@securityfocus.com
Date: Tue, 16 Apr 2002 20:31:09 +0200
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi all,
I looked briefly in bugtraq archives and I didn't find any reference to this
issue. Please accept my apologies, if it's a known problem.
Norton Personal Firewall 2002 on Windows 2000 is vulnerable to SYN/FIN scan
(SYN/FIN/URG, SYN/FIN/PUSH, SYN/FIN/URG/PUSH are not detected as well) also
if you activate "detect portscan".
The windows machine answers the same way with or without NPF.
open TCP port answer (hping output):
len=46 ip=a.b.c.d sport=135 flags=SA DF seq=5 ttl=128 id=112 win=16616
rtt=0.8 ms
close TCP port answer (hping output):
len=46 ip=a.b.c.d sport=136 flags=RA seq=6 ttl=128 id=113 win=0 rtt=0.6 ms
This way, you can check which ports are listening and you don't get
blacklisted. When NPF detects a port scan, it filters all packets from the
source IP for the next 30 mins. By the way, I tried to understand this
feature: after some tests, I got the idea that NPF stops ONLY SYN packets
FROM the blacklisted IP. This means that you can STILL perform a SYN/FIN
scan while blacklisted and also that you can go on with an established
connection from a blacklisted IP. You just can't start a new connection FROM
the blacklisted machine (but you can start it from the "protected" PC). I
guess this way to implement a blacklist is mainly for performances. Any
comment?
Moreover, since you can't change the 30 mins default blacklist time, this
can help a lot in fingerprinting Norton Personal Firewall making your IP
blacklisted and then trying to send again SYN packets on an open port after
30 mins.
In my probe test, I also tried to check the claim "block fragmented IP
Packets" in advanced options, attacking the windows box with the old jolt2
(MS00-029 May 2000). Of course, the windows 2000 has NO patch or SP which
would prevent the attack to success. You might say a computer should always
be uptodate with patches, but this was a proof-of-concept of a future
undiscovered fragmented IP bug againts a claim of being able to block
fragments.
NPF is NOT able to protect my Windows 2000 against jolt2.
Thanks for reading,
alfonso
Vendor URL:
===========
You can visit the vendors webpage here:
http://www.symantec.com/sabu/nis/npf/
Vendor response:
================
The vendor was contacted on the 5th of April, 2002 using a web form at
http://service4.symantec.com/discuss/support/feedback2.nsf/product+feedback
No reply so far.
DISCLAIMER
==========
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.
