Date: Tue, 30 Apr 2002 01:13:06 +0200
From: Alfonso Fiore <afiore@secure-edge.com.>
To: bugtraq@securityfocus.com
Subject: Follows: Norton Personal Firewall 2002 vulnerable to SYN/FIN scan
Hi!
I sent a post on bugtraq few weeks ago.
http://online.securityfocus.com/archive/1/267850
Since that time, somobody asked me if the fragment vulnerability I mentioned
was really something to blame NPF of, or not.
The question is: "are you sure that is technically possible to avoid the
jolt2 fragment in an affected windows box without re-implementing a new TCP
stack?"
More details on this are available in the following bugtraq post:
http://online.securityfocus.com/archive/1/62170
In particular, the following is said near the end of the post:
* If the proxy firewall is running on a vulnerable OS and
doesn't have its own network layer code (relies on the MS stack),
the attack will DoS the firewall itself, effectively
DoSing your entire connection.
I did some more tests and I found that the claim on the post quoted is not
entirely correct. A program running on the affected machine can AVOID jolt2
with no need for its own network layer code.
Actually, I even found some more about NPF 2002.
The step by step testing I did follows:
I tried to create two rules (one for TCP and UDP and one for ICMP) to block
ANY packet from my attacking IP (using System Wide Settings and the most
strict setting I could find).
My guess was: if blocking all traffic from that IP would block the jolt2
attack, then the NPF's claim to block IP fragment is false (let's say
"incomplete").
The jolt2 was NOT blocked.
I tried again my SYN/FIN scan (with the aforementioned rules turned on) and
the scan was STILL working. So my *idea* is: NPF applies rules ONLY on TCP
packets with only SYN flag on. Please let me highlight it: I said to NPF to
block ALL TCP, UDP, ICMP traffic from a certain IP and STILL SYN/FIN scan
and jolt2 succeded (Note: no way to block different protocols apart from
these three).
So, about the jolt2 issue: still was not clear if a personal firewall was
possibly technically able to block jolt2.
I did an other test. I removed NPF from the affected system (Windows 2000
with no patch or SP) and installed our personal firewall.
Our personal firewall, called "Pc Protection" ( http://www.pcprotection.it )
is a newborn product and does not have "detect portscan" feature or "block
fragment" feature yet. It's NDIS layer filter.
The guess was: if our personal firewall can block jolt2, then you can place
a personal firewall in Windows 2000 stack to prevent the jolt2 kind of
fragments. Note that our personal firewall does NOT provide its own TCP/IP
stack.
I again created an "ad hoc" rule to block all traffic from the attacker IP
and (put proudness here...) the computer didn't hang!
So, I hope this tests are what you were looking for.
Please feel free to contact me for further help.
Best regards,
Alfonso
Vendor URL:
===========
You can visit the vendors webpage here:
http://www.symantec.com/sabu/nis/npf/
DISCLAIMER
==========
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.
/******
Alfonso Fiore - Security Consultant
Secure Edge srl - your safety .net
http://www.secure-edge.com
******/
