26th Sep 2002 [SBWID-5267]
COMMAND
	Norton Personal Firewall 2002 is vulnerable to SYN/FIN scan
SYSTEMS AFFECTED
	Norton Personal Firewall 2002
PROBLEM
	Alfonso  Fiore  [http://www.secure-edge.com/]  found  following  bug  on
	Norton Personal Firewall 2002 :
	Norton Personal Firewall 2002 on Windows 2000 is vulnerable  to  SYN/FIN
	scan (SYN/FIN/URG, SYN/FIN/PUSH, SYN/FIN/URG/PUSH are  not  detected  as
	well) also if you activate "detect portscan".
	The windows machine answers the same way with or without NPF.  open  TCP
	port answer (hping output):
	
	len=46 ip=a.b.c.d sport=135 flags=SA DF seq=5 ttl=128 id=112 win=16616 rtt=0.8 ms
	
	close TCP port answer (hping output):
	
	len=46 ip=a.b.c.d sport=136 flags=RA seq=6 ttl=128 id=113 win=0 rtt=0.6 ms 
	
	This way, you can check which ports are  listening  and  you  don't  get
	blacklisted. When NPF detects a port scan, it filters all  packets  from
	the source IP for the next 30 mins. By the way, I  tried  to  understand
	this feature: after some tests, I got the idea that NPF stops  ONLY  SYN
	packets FROM the blacklisted IP. This means that you can  STILL  perform
	a SYN/FIN scan while blacklisted and also that you can  go  on  with  an
	established connection from a blacklisted IP. You  just  can't  start  a
	new connection FROM the blacklisted machine (but you can start  it  from
	the "protected" PC). I guess  this  way  to  implement  a  blacklist  is
	mainly for performances. Any comment?
	Moreover, since you can't change the 30  mins  default  blacklist  time,
	this can help a lot in fingerprinting Norton  Personal  Firewall  making
	your IP blacklisted and then trying to send  again  SYN  packets  on  an
	open port after 30 mins.
	In my probe test, I also tried to check the claim "block  fragmented  IP
	Packets" in advanced options, attacking the windows  box  with  the  old
	jolt2 (MS00-029 May 2000). Of course, the windows 2000 has NO  patch  or
	SP which would prevent the attack to success. You might say  a  computer
	should always be uptodate with patches, but this was a  proof-of-concept
	of a future undiscovered fragmented IP bug  againts  a  claim  of  being
	able to block fragments.
	NPF is NOT able to protect my Windows 2000 against jolt2.
SOLUTION
	Nothing yet.