EEYE: Kerio Personal Firewall Multiple IP Options Denial of Service

From: Marc Maiffret (mmaiffret_at_EEYE.COM)
Date: 11/09/04

  • Next message: Jeffrey Thomas: "New MyDoom variants exploiting unpatched IFRAME exploit"
    Date:         Tue, 9 Nov 2004 10:38:02 -0800

    Kerio Personal Firewall Multiple IP Options Denial of Service

    Release Date:
    November 9, 2004

    Date Reported:
    October 30, 2004

    High (Remote Denial of Service)


    Systems Affected:
    Kerio Personal Firewall 4.1.1 and prior

    eEye Digital Security has discovered a severe denial of service
    vulnerability in the Kerio Personal Firewall product for Windows. The
    vulnerability allows a remote attacker to reliably render a system
    inoperative with one single packet. Physical access is required in order
    to bring an affected system out of this "frozen" state. This specific
    flaw exists within the component that performs low level processing of
    TCP, UDP, and ICMP packets.

    Technical Details:
    The vulnerability exists in FWDRV.SYS when trying to parse through the
    IP Options in a TCP, UDP, or ICMP packet. When an attacker supplies a
    single TCP, UDP, or ICMP packet with an IP Option followed by a length
    of 0x00, the FWDRV.SYS driver enters an infinite loop and causes the
    operating system to "freeze up" to the point where it can no longer be
    accessed outside of the system itself nor can any part of the GUI be
    accessed including keyboard and mouse. The only way to bring the system
    back online is to hard boot the system which requires physical access of
    the system. The attacker only needs to send a single packet to any port
    on the system regardless of whether or not the port is open. This flaw
    is still accessible even if the firewall is set to "stop all traffic"
    because it still continues to process packets. The vulnerable code
    maintains an offset into the IP option bytes, and attempts to advance
    past a variable-length option by adding its length to the offset. If the
    option's length field is zero, then this will result in an infinite loop
    and the machine halts completely. It should be noted that since there is
    not a state requirement for performing this attack, it is possible to
    spoof a TCP, UDP, or ICMP packet. This results in an attacker's ability
    to remain anonymous.

    For those who pay attention you might have noticed that this
    vulnerability is _identical_ to the Symantec vulnerability we released a
    few months back. This is
    important to illustrate as we hope that more software vendors become
    more diligent about reading the very important technical details held
    within advisories so that they can better secure their code/customers
    from already known attacks such as this one.

    Retina Network Security Scanner has been updated to identify this

    Vendor Status:
    Kerio has provided an update to their Personal Firewall 4. Please
    download 4.1.2 or later from
    Kerio has also released a security advisory at

    Discovery: Karl Lynn

    Related Links:
    Retina Network Security Scanner - Free 15 Day Trial

    Copyright (c) 1998-2004 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express
    consent of eEye. If you wish to reprint the whole or any part of this
    alert in any other medium excluding electronic medium, please email for permission.

    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There
    are no warranties, implied or express, with regard to this information.
    In no event shall the author be liable for any direct or indirect
    damages whatsoever arising out of or in connection with the use or
    spread of this information. Any use of this information is at the user's
    own risk.

    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <>  for complete details regarding the
    TICSA credential and to take the free sample exam.

  • Next message: Jeffrey Thomas: "New MyDoom variants exploiting unpatched IFRAME exploit"

    Relevant Pages