[NT] Tiny Personal Firewall 3.0 Denial of Service Vulnerabilities

From: support@securiteam.com
Date: 08/21/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 21 Aug 2002 11:09:27 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Tiny Personal Firewall 3.0 Denial of Service Vulnerabilities
------------------------------------------------------------------------

SUMMARY

Tiny Personal Firewall 3.0 is ideal for standalone computers or for
trusted experienced users in corporate environment. It protects personal
computers against network attacks, worms, Trojans and viruses and manages
the access of computer processes (programs) to computer resources (memory,
files, devices).

Tiny Personal Firewall 3.0 for Windows platform contains Denial of Service
vulnerabilities in its Personal Firewall Agent module specifically the
activity logger tab. These vulnerabilities could allow an attacker to
crash the operating system consuming 100% of your CPU resources.

DETAILS

Vulnerable systems:
 * Tiny Personal Firewall version 3.0

1] DoS vulnerability with Tiny Personal Firewall 3.0 Default Installation
By simply port scanning the host with Tiny Personal Firewall 3.0 default
install by sending multiple SYN, UDP, ICMP and TCP full Connect through
all its ports and as the user browses its Personal Firewall Agent module
firewall Log tab. The user can cause a crash to its own operating system
by just clicking or viewing the Activity tab of the said module.

Note: With WinNT 4.0 with SP6a workaround is not possible.

2] IP spoofing and DoS vulnerability
It is quite similar to the first one but this vulnerability comes in with
the fully configured Tiny Personal Firewall 3.0 and Setting up the
personal firewall to HIGH Security. The Personal firewall is having
problem-blocking packets with Spoof source address .

Workaround:
1] Simply change the permission for the rules under System Applications on
Inbound ICMP (LAN1) to ask user.

2] This vulnerability has no work around. Even if you block all the IP
addresses, protocols and ports, the Firewall will fail to handle the
attack.

ADDITIONAL INFORMATION

The information has been provided by <mailto:aaron@nssolution.com> Aaron
Tan Lu and <mailto:b45h3r@techie.com> b45h3r.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.