[NT] Vulnerabilities in Kerio Personal Firewall (Buffer Overflow, Replay)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/30/03

  • Next message: SecuriTeam: "[REVS] A Technique for Counting NATed Hosts"
    To: list@securiteam.com
    Date: 30 Apr 2003 13:04:53 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Vulnerabilities in Kerio Personal Firewall (Buffer Overflow, Replay)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.kerio.com/kerio.html> Kerio Personal Firewall (KPF) is "a
    firewall for workstations designed to protect them against attacks from
    the Internet and the local network. We found two security vulnerabilities
    in KPF's remote administration system". Two security vulnerabilities have
    been found in the product, one allowing remote attackers to replay
    previous sessions, the other allows overflowing a buffer used by the Kerio
    firewall, allowing execution of arbitrary code.

    DETAILS

    Vulnerable systems:
     * Kerio Personal Firewall version 2.1.4 and previous versions.

    Replay attack:
    A replay attack is possible against the authenticated/encrypted channel
    for remote administration. A design problem in the authentication
    mechanism for remote administration allows an attacker to replay captured
    packets from a valid remote administration session in order to reproduce
    the administrator's directives to the personal firewall.
    For example if the attacker is able to sniff a valid session in which the
    administrator disabled the firewall capabilities, then the attacker will
    gain the ability to disable the personal firewall at will at any time in
    the future.

    Buffer overflow:
    A remotely exploitable buffer overflow exists in the administrator
    authentication process.

    Solution/Vendor Information/Workaround:
    Contact the vendor for a fix.

    Workaround:
    Disable the remote administration feature.

    Technical Description - Exploit/Concept Code:
    CORE found two security vulnerabilities in Kerio PF's remote
    administration system.

    Replay attack:
    A replay attack is possible against the authenticated/encrypted remote
    administration channel. Because of a design problem in the authentication
    mechanism for remote administration, it is possible to replay a previously
    captured administration session.

    If 'S' is the workstation running Kerio personal firewall and 'C' is the
    administrator workstation, the following scheme shows the initial key
    exchange and authentication packets for a remote administration session:

       S C
             <--- connect
             ---> 10 bytes (0f 00 0a 00 01 00 00 00 02 00)
      [*] ---> 128 bytes (the initial 64 bytes are 0 and the last
                             64 bytes are the 'public' key)
             ---> 128 bytes (Everything is 0ed except the last 4 bytes
                             [01 00 01 00])
      [0] <--- 4 bytes (00 00 00 40)
      [1] <--- 64 bytes (This 64 bytes change from session to session)
      [2] <--- 32 bytes (From now on, everything is encrypted and differs
                            from session to session)
             ---> 4 bytes ()
      [3] <--- 64 bytes (user authentication)
             ........
             ........ (The session continues with commands and responses)
             ........

      [*] The last 64 bytes of this packet are read from the file 'persfw.key'
    on the Kerio installation directory.

    It was noted from analyzing these sessions that the first differences
    between different sessions come from the administrator's workstation 'C'.
    This led us to try replaying an administration session as a whole, with
    the unexpected result that it was deemed valid by 'S'. This shows that in
    fact no randomization or serialization is used on the 'server' side 'S',
    and thus there is no way for Kerio to ensure that the session is new and
    not a replay of an old one.

    As a result, an attacker with access to an encrypted administration
    session can record the session and replay it to the server later to
    reissue the administration commands to the personal firewall.
    The commands replayed can include enabling/disabling the firewall, adding
    firewall rules, etc.

    Buffer overflow:
    A remotely exploitable buffer overflow exists in the administrator
    authentication process. When Administrator connects to the firewall, a
    handshake occurs in order to establish an encrypted session. The 4th
    packet of the handshake (the first packet sent by the administrator) is a
    4 byte packet data, with a fixed number of 0x40 (64) indicating the size
    of the following packet expected to contain the administrator's key.
    No boundary checks exist at the firewall side for processing this data,
    and the recv() reads the 4 bytes and then attempts to read the amount of
    data indicated by the 4 bytes to a buffer on the stack. As a result, an
    attacker connecting to the administration port on the personal firewall
    can construct a packet sequence that will overflow the buffer on the
    stack, allowing her to execute arbitrary code on the machine running the
    personal firewall.

    It is important to note that these packets are accepted by the personal
    firewall before authentication of the administrator takes place.

    The following proof of concept Python script will make the program jump to
    address 0x41414141. Note that there is enough space in the buffer (approx.
    1800 bytes) to insert a shell code.

    ---------------------
    import os
    import socket
    import struct
    import string

    def g():
         fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
         try:
             fd.connect(('192.168.66.160', 44334))
             fd.recv(10)
             fd.recv(256)
             fd.send(struct.pack('!L', 0x149c))
             astr = 'A'*0x149c
             fd.send(astr)

         except Exception, e:
             print e
             pass

         fd.close()

    g()
    ---------------------

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisories@coresecurity.com>
    CORE Security Technologies Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[REVS] A Technique for Counting NATed Hosts"

    Relevant Pages