exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

kerio-fwdrv-dos-adv.txt

kerio-fwdrv-dos-adv.txt
Posted Oct 13, 2005
Authored by Piotr Bania | Site pb.specialised.info

Kerio Personal Firewall 4 (4.2.0) and Kerio Server Firewall version 1.1.1 are susceptible to a local denial of service vulnerability. Earlier versions are also presumed susceptible.

tags | advisory, denial of service, local
SHA-256 | 844d00225d7f054c20b7c6aa6d74222ce2248249498f97c2cfd3de4177338c46

kerio-fwdrv-dos-adv.txt

Change Mirror Download


Kerio Technologies Kerio Personal Firewall and Kerio Server
Firewall FWDRV driver
Local denial of service
by Piotr Bania <bania.piotr@gmail.com>
http://pb.specialised.info



Original location:
http://pb.specialised.info/all/adv/kerio-fwdrv-dos-adv.txt

Severity: Low (local machine denial of service -
BSOD)


Software affected: Tested on Kerio Personal Firewall 4
(4.2.0) and KerioServerFirewall
version 1.1.1, however it is highly

possible that earlier versions
are also vulnerable.



I. BACKGROUND

From kerio.com website:

"Kerio Personal Firewall represents smart, easy-to-use personal
security technology that fully protects personal computers
against hackers and internal misuse"

"Kerio ServerFirewall offers IT and security administrators a
powerful and easy-to-use tool to protect their server systems
from worms, buffer-overflow and other internet security
threats."


II. DESCRIPTION

FWDRV driver (core part of the firewall system) monitors all
programs that are trying to connect to the internet. While doing
necessary checks, FWDRV parses the Process Environment Block
(PEB) like the code shows:


;----------SNIP--------------------------------------------
.text:0041C04E mov ecx, [ebp+var_4] ; ECX = PEB base
.text:0041C051 mov edx, [ecx+0Ch] ; EDX = PEB_LDR_DATA
;----------SNIP--------------------------------------------


However while parsing the PEB FWDRV doesn't check if the memory
with Process Environment Block is accessible. It means that if
attacker will set PAGE_NOACCESS or PAGE_GUARD protection to the
PEB block the FWDRV will cause an fatal exception and the
machine will crash.


III. IMPACT

Sample scenario:
Executing connect api function with previously PAGE_NOACCESS
protection set to Process Environment Block will cause an local
machine crash.


IV. POC CODE

Sample POC code was released to vendor.


best regards,
Piotr Bania


--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info - Key ID: 0xBE43AC33
--------------------------------------------------------------------


Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close