Norton Personal Firewall 2002 vulnerable to SYN/FIN scan

["Alfonso Fiore" <afiore () secure-edge com>]

Hi all, 

I looked briefly in bugtraq archives and I didn't find any reference to this 
issue. Please accept my apologies, if it's a known problem. 

Norton Personal Firewall 2002 on Windows 2000 is vulnerable to SYN/FIN scan 
(SYN/FIN/URG, SYN/FIN/PUSH, SYN/FIN/URG/PUSH are not detected as well) also 
if you activate "detect portscan". 

The windows machine answers the same way with or without NPF.
open TCP port answer (hping output):
len=46 ip=a.b.c.d sport=135 flags=SA DF seq=5 ttl=128 id=112 win=16616 
rtt=0.8 ms
close TCP port answer (hping output):
len=46 ip=a.b.c.d sport=136 flags=RA seq=6 ttl=128 id=113 win=0 rtt=0.6 ms 

This way, you can check which ports are listening and you don't get 
blacklisted. When NPF detects a port scan, it filters all packets from the 
source IP for the next 30 mins. By the way, I tried to understand this 
feature: after some tests, I got the idea that NPF stops ONLY SYN packets 
FROM the blacklisted IP. This means that you can STILL perform a SYN/FIN 
scan while blacklisted and also that you can go on with an established 
connection from a blacklisted IP. You just can't start a new connection FROM 
the blacklisted machine (but you can start it from the "protected" PC). I 
guess this way to implement a blacklist is mainly for performances. Any 
comment? 

Moreover, since you can't change the 30 mins default blacklist time, this 
can help a lot in fingerprinting Norton Personal Firewall making your IP 
blacklisted and then trying to send again SYN packets on an open port after 
30 mins. 

In my probe test, I also tried to check the claim "block fragmented IP 
Packets" in advanced options, attacking the windows box with the old jolt2 
(MS00-029 May 2000). Of course, the windows 2000 has NO patch or SP which 
would prevent the attack to success. You might say a computer should always 
be uptodate with patches, but this was a proof-of-concept of a future 
undiscovered fragmented IP bug againts a claim of being able to block 
fragments.
NPF is NOT able to protect my Windows 2000 against jolt2. 

Thanks for reading, 

alfonso 

Vendor URL:
===========
You can visit the vendors webpage here: 
http://www.symantec.com/sabu/nis/npf/ 

Vendor response:
================
The vendor was contacted on the 5th of April, 2002 using a web form at
http://service4.symantec.com/discuss/support/feedback2.nsf/product+feedback
No reply so far. 

DISCLAIMER
==========
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.