April 22nd, 2002, 01:45 PM
Vulnerability: Norton 2002 Firewall Personal Edition
Norton Personal Firewall 2002 on Windows 2000 is vulnerable to SYN/FIN scan (SYN/FIN/URG, SYN/FIN/PUSH, SYN/FIN/URG/PUSH are not detected as well) also if you activate "detect portscan".
The windows machine answers the same way with or without NPF.
open TCP port answer (hping output):
len=46 ip=a.b.c.d sport=135 flags=SA DF seq=5 ttl=128 id=112 win=16616 rtt=0.8 ms
close TCP port answer (hping output):
len=46 ip=a.b.c.d sport=136 flags=RA seq=6 ttl=128 id=113 win=0 rtt=0.6 ms
This way, you can check which ports are listening and you don't get blacklisted. When NPF detects a port scan, it filters all packets from the source IP for the next 30 mins.After some tests NPF stops ONLY SYN packets FROM the blacklisted IP. This means that you can STILL perform a SYN/FIN scan while blacklisted and also that you can go on with an established connection from a blacklisted IP. You just can't start a new connection FROM the blacklisted machine (but you can start it from the "protected" PC).
Moreover, since you can't change the 30 mins default blacklist time, this can help a lot in fingerprinting Norton Personal Firewall making your IP blacklisted and then trying to send again SYN packets on an open port after 30 mins.
You can visit the vendors webpage here: http://www.symantec.com/sabu/nis/npf/
The vendor was contacted on the 5th of April, 2002 using a web form at
No reply so far.
April 22nd, 2002, 04:34 PM
An argument for the beauty of open source software. Bug fixes and patches get done a lot quicker.
For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)
April 23rd, 2002, 08:54 AM
Symantec Norton Personal Firewall 2002 Fragmented Packet Vulnerability.
Symantec Norton Personal Firewall 2002 (NPW)is a firewall for home and small office machines based on some versions of the Microsoft Windows operating systems.
It has been reported that NPW may not adequately filter packet fragments. In particular, denial of service attacks based on fragmented packets have been reported to work effectively against systems protected by NPW. This may happen even if the attacking address is entirely blocked from the system.
These issues have not been confirmed.