TUCoPS :: Security App Flaws :: win5267.htm

Norton Personal Firewall 2002 is vulnerable to SYN/FIN scan
17th Apr 2002 [SBWID-5267]
COMMAND

	Norton Personal Firewall 2002 is vulnerable to SYN/FIN scan

SYSTEMS AFFECTED

	Norton Personal Firewall 2002

PROBLEM

	Alfonso  Fiore  [http://www.secure-edge.com/]  found  following  bug  on
	Norton Personal Firewall 2002 :
	

	Norton Personal Firewall 2002 on Windows 2000 is vulnerable  to  SYN/FIN
	scan (SYN/FIN/URG, SYN/FIN/PUSH, SYN/FIN/URG/PUSH are  not  detected  as
	well) also if you activate \"detect portscan\".
	

	The windows machine answers the same way with or without NPF.  open  TCP
	port answer (hping output):
	

	len=46 ip=a.b.c.d sport=135 flags=SA DF seq=5 ttl=128 id=112 win=16616 rtt=0.8 ms

	

	close TCP port answer (hping output):
	

	len=46 ip=a.b.c.d sport=136 flags=RA seq=6 ttl=128 id=113 win=0 rtt=0.6 ms 

	

	

	This way, you can check which ports are listening  and  you  don\'t  get
	blacklisted. When NPF detects a port scan, it filters all  packets  from
	the source IP for the next 30 mins. By the way, I  tried  to  understand
	this feature: after some tests, I got the idea that NPF stops  ONLY  SYN
	packets FROM the blacklisted IP. This means that you can  STILL  perform
	a SYN/FIN scan while blacklisted and also that you can  go  on  with  an
	established connection from a blacklisted IP. You just  can\'t  start  a
	new connection FROM the blacklisted machine (but you can start  it  from
	the \"protected\" PC). I guess this way  to  implement  a  blacklist  is
	mainly for performances. Any comment?
	

	Moreover, since you can\'t change the 30 mins  default  blacklist  time,
	this can help a lot in fingerprinting Norton  Personal  Firewall  making
	your IP blacklisted and then trying to send  again  SYN  packets  on  an
	open port after 30 mins.
	

	In my probe test, I also tried to check the claim \"block fragmented  IP
	Packets\" in advanced options, attacking the windows box  with  the  old
	jolt2 (MS00-029 May 2000). Of course, the windows 2000 has NO  patch  or
	SP which would prevent the attack to success. You might say  a  computer
	should always be uptodate with patches, but this was a  proof-of-concept
	of a future undiscovered fragmented IP bug  againts  a  claim  of  being
	able to block fragments.
	

	NPF is NOT able to protect my Windows 2000 against jolt2.

SOLUTION

	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH