(Vulnerability is Reasserted and Details Are Provided) Re: Kerio Personal Firewall Allows Remote Users to Cause a Protected Host to Crash
|
|
SecurityTracker Alert ID: 1005151 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 29 2002
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, Denial of service via network
|
Exploit Included: Yes
|
Version(s): 2.x.x
|
Description: A denial of service vulnerability was reported in the Kerio Personal Firewall software for Microsoft Windows operating systems. A remote user can cause a host protected by the firewall software to crash.
In the original message, NSSI-Research Labs warned that a remote user could cause the protected host's CPU utilization to reach 100%,
even if the host's TCP/IP stack has been hardened. After that message, the vendor responded to deny the vulnerability (see the
Message History for the vendor's message). NSSI-Research Labs subsequently issued another message reasserting the original claim
and providing vulnerability details. In addition, a cross-site scripting flaw has been reported.
It is reported that the firewall
is vulnerable to SYN flood attacks. A remote user can send 40 or more TCP SYN packets to cause the target host to stop responding
and the host to eventually crash. This attack is reportedly successful even if the target host operating system has been hardened.
If
the firewall is set to block all services and protocols, a remote user can send 500 or more TCP SYN packets to cause the target
host to stop responding and CPU utilization to reach 100%.
Also, a remote user can create a specially crafted URL that, when
loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will appear to
originate from the local host (the firewall) and will run in the security context of the local host. As a result, the code will
be able to access the target user's cookies (including authentication cookies), if any, associated with the firewall, access data
recently submitted by the target user via web form to the firewall, or take actions on the firewall acting as the target user.
Some
demonstration exploit URLs are provided:
http://keriowebmail/<script>alert('THisIsREAL0wned')</script>
http://keriowebmail/passwd<script>alert('VERYVULNERABLE')</scri
pt>
|
Impact: A remote user can cause CPU utilization to reach 100% or the protected target host to crash.
A remote user can also access the
target user's cookies (including authentication cookies), if any, associated with the firewall software, access data recently submitted
by the target user via web form to the firewall, or take actions on the firewall acting as the target user.
|
Solution: No solution was available at the time of this entry.
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41361
Microsoft
Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41568
Microsoft Windows XP:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41598
Microsoft Windows XP 64-bit Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41598
The Windows 98 patch
can be installed on any system running Windows 98. The Windows 98 Second Edition patch can be installed on any system running Windows
98 SE. The Windows Me patch can be installed on any system running Windows Me. The Windows NT 4.0 patch can be installed on systems
running Windows NT 4.0 SP6a. The Windows NT 4.0 Terminal Server Edition patch can be installed on systems running Windows NT 4.0
Terminal Server Edition SP6. The Windows 2000 patch can be installed on systems running Windows 2000 SP1 or Windows 2000 SP2. The
patch for Windows XP can be installed on systems running Windows XP Gold.
Microsoft reports that the fix for this issue is already
included in Windows XP SP1 and will be included in Windows 2000 SP4.
Microsoft plans to issue Knowledge Base article Q323172
regarding this issue, to be available shortly on the Microsoft Online Support web site:
http://support.microsoft.com/?scid=fh;en-us;kbhowto
See
the Microsoft knowledge base article for some important caveats. Apparently, the patch will disable the control when installed
on systems running versions of Internet Explorer prior to version 5. Also, web sites that use the Certificate Enrollment Control
will require minor code changes to operate with the new control.
|
Vendor URL: www.kerio.com/us/kpf_home.html (Links to External Site)
|
Cause: Input validation error, Exception handling error, Resource error
|
Underlying OS: Windows (Any)
|
Reported By: "Abraham Lincoln" <sunninja@scientist.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 29 Aug 2002 08:35:56 +0800
From: "Abraham Lincoln" <sunninja@scientist.com>
Subject: Re: Kerio Mail Server Multiple Security vulnerabilities
|
Hi.
This is a straight forward answer to what Mr. Jaroslav Snajdr of
Kerio.com mail server dev is claiming that kerio mail server is not
vulnerable. To clear things up and let the people judge.
by the way Mr. Snajdr im recieving emails that they confirmed
that the vulnerability in ur product DO EXIST. anyway i'll proceed to
the explanation in reproducing the vulnerability.
We will show u if this advisory is real or Not Bec. We Wil be
Releasing Another SECURITY ADVISORY against newest version of Kerio
Mail Server.
1] Cross-Site Scripting Vulnerability with Kerio
"secure" Web Mail module.
Try this:
http://keriowebmail/<script>alert('THisIsREAL0wned')</script>
Even Page 404 is vulnerable? funny. Mr. Kevin of spidy thanks ;)
Another Sample:
http://keriowebmail/passwd<script>alert('VERYVULNERABLE')</script>
funny ;)
SO Kerio is not vulnerable with Cross-site scripting? ;P now u g0t
idea how to recode ur InSecure coding style. Want to know more about
Crossite-scripting? REad the FAQ always and search it in google. ;p
Other is not yet to be devulge it will be released on the next
advisory this Week ;)
2] DOS Vulnerability with Every Kerio Mail Server Services.
Some people think (*shrrug*) that Securing the TCP/IP stack
of the Operating system could Protect their Application against DOS.
Let people judge:
Test Bed: [*nix with synflood)<----------->[Winnt with sp6A
/Win2k Sp3 with Kerio Mailserver] (note: all win servers are hardened
;)
synmail = our synflood Proof of Concept Code
Kerio Mail Server IP = 192.168.0.1
Sendmail IP = 192.168.0.2
[root@NSSIlabs]# ./synmail
./synmail <destinationIP> <Port> <num of packets>
[root@NSSIlabs]# ./synmail 192.168.0.1 25 40
Targeting host 192.168.0.1 .......
done!
[root@NSSIlabs]# telnet 192.168.0.1 25
Trying 192.168.0.1...
telnet: Unable to connect to remote host: Connection refused
[root@NSSIlabs]# nc 192.168.0.1 25
note: no reply from netcat ;) meaning port is closed after
targeting port 25 with 40 syn packets
Vulnerable or No? ;)
Another Testing Against Other mail server: (against sendmail) ;)
[root@NSSIlabs]# ./synmail
./synmail <destinationIP> <Port> <num of packets>
[root@NSSIlabs]# ./synmail 192.168.0.2 25 50
Targeting host 192.168.0.2 .......
done!
Note: as u would notice we increase syn packets to 50. ;)
[root@SunNinja remote]# telnet 192.168.0.2 25
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
220 nssilabs.nssolution.COM ESMTP Sendmail 8.9.3/8.9.3; Wed, 28 Aug
2002 03:14:3
7 +0800
Its for you to judge if this is wrong or right. People who's
reading this may test it on their own ;)
We will be releasing another Security Advisory regarding Newest
version of Kerio Mail Server ;)
Hey Mr. Snajdr if u think that this demo is not acceptable or so..
there's nothing we can do about it. We just found a flaw in your
application and we inform you about it before releasing the advisory
for u to release patch but unfortunately We recieve emails from you
that this vulnerability report is fake. anyway people who's reading
this will be the one to judge ;)
Thanks and good day! ;)
Regards,
Abraham
NSSI Research Labs
"When They say that their Technology is Un-Breakable they are
Lying..." - Bruce
--
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
|
|
