[NT] Kerio Personal Firewall Service Termination

From: SecuriTeam <support@xxxxxxxxxxxxxx>
Date: 20 Jul 2006 19:43:52 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Kerio Personal Firewall Service Termination
------------------------------------------------------------------------

SUMMARY

Sunbelt Kerio Personal Firewall is a popular firewall software for Windows
systems.

A vulnerability in the Kerio Firewall software allows to crash its
service, thus bypassing the firewall.

DETAILS

Vulnerable Systems:
* Sunbelt Kerio Personal Firewall 4.3.246

Immune Systems:
* Sunbelt Kerio Personal Firewall 4.3.268
* Sunbelt Kerio Personal Firewall 4.2.3.912

Kerio uses strange ring3 hooks that communicates the Kerio driver using an
interrupt. Windows API CreateRemoteThread is hooked by Kerio in user mode
in every process. Calling this API can cause a crash of the Kerio service
'kpf4ss.exe'. The cause of this behavior is unknown. The crash of the
Kerio service equals to disabling the protection. The tray icon of Kerio
is not functional any more after exploiting the bug, any application can
perform arbitrary protected action including Internet access and process
creation.

Disclosure Timeline:
* 2006-07-15: Vendor notification
* 2006-07-15: Advisory released
* 2006-07-17: Vulnerability confirmed by popular information sources
* 2006-07-17: Received request from the product vendor to temporarily
remove the exploit code

ADDITIONAL INFORMATION

The information has been provided by matousec.com.
The original article can be found at:

<http://www.matousec.com/info/advisories/Kerio-Terminating-kpf4ss-exe-using-internal-runtime-error.php> http://www.matousec.com/info/advisories/Kerio-Terminating-kpf4ss-exe-using-internal-runtime-error.php

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Prev by Date: [UNIX] PHPjournaler readold SQL Injection
Next by Date: [UNIX] Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure
Previous by thread: [UNIX] PHPjournaler readold SQL Injection
Next by thread: [UNIX] Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure
Index(es):
- Date
- Thread

Relevant Pages

[NT] Kerio Multiple Insufficient Argument Validation of Hooked SSDT Function Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Kerio Multiple Insufficient Argument Validation of Hooked SSDT Function ... executed in the kernel mode but their callers are executed in the user ... Sunbelt Kerio Personal Firewall hooks many functions in SSDT and in at ...
(Securiteam)
[EXPL] Kerio Personal Firewall Multiple IP Options DoS PoC
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Kerio Personal Firewall version 4.1.1 and prior ... checksum(unsigned short *buffer, int size) ...
(Securiteam)