Re: Kerio 2.1.5 Vulnerability

From: Alan Illeman (illemann_at_surfbest.net)
Date: 05/29/04 

Date: Sat, 29 May 2004 10:08:45 -0400

"Italy Anonymous Remailer" <nobody@See.Comments.Header> wrote in message
news:C2SYDSCA38136.0943865741@anonymous.poster...
> On Fri, 28 May 2004, Kerodo wrote:
> >I'm posting this message because I believe I have found a vulnerability
> >in Kerio 2.1.5 and that I should share this with other Kerio users who I
> >believe are vulnerable to this exploit, even though I can't explain it
all
> >very well. I'll do my best.. What it boils down to is that a malicious
> >person is able to get packets to any port past the firewall if they wish.
> >
> >Some time ago, I turned on logging of ICMP in Kerio and noticed that
> >there was ICMP Type 3 outbound to various IP addresses, other than my DNS
> >servers. I wasn't worried about Type 3 to my DNS servers since this
> >appeared to be fairly safe and common, but the other destinations
bothered
> >me. Why would my machine be sending Type 3 to seemingly random IPs?
> >
> >I researched this and posted in varous Kerio forums, and found out that
> >this was an indication that UDP was somehow getting in thru the firewall.
> >Some suggested it was getting past my rules. I did however, try various
> >rule sets without any change, and I also found that this problem DOESN'T
> >exist in the newer Kerio 4.xx with the same rule set. So the rule set
> >wasn't the problem. And they appear to have fixed the problem in Kerio
4.xx.
> >
> >Further, I noted that most, but not all, of the outbound icmp type 3 was
> >destined to 66.90.xx.xx IP addresses.
> >
> >It bothered me that packets might be getting in thru the firewall
> >somehow, so I uninstalled Kerio and installed Sygate 5.5 instead, which
> >didn't have this problem. Later, I noticed some UDP packets coming in in
> >Sygate which Sygate allowed via a "non-first fragment" rule. Then
> >immediately following these UPD packets was another packet to port 1026.
> >So this was apparently an attempt by the Messenger spammers to get in
thru
> >the firewall. These packets were also coming from the noted 66.90.xx.xx
> >IP ranges for the most part, as in Kerio. Sygate, however, wasn't fooled
> >and blocked it. But Kerio 2.1.5 WAS fooled, and allowed the 2nd packet.
> >So I researched this and found out some very >interesting info. I think
> >this is what is happening to Kerio 2.1.5.
> >
> >Since I'm not very well versed in network stuff, you'll have to read
this
> >and figure it out for yourself, but here is a link that explains the
> >exploits. It relates to Linux firewalls, but I believe that this can
> >happen in any OS and that this is what is happening to Kerio 2.1.5 and
> >that packets are indeed getting in thru the firewall. If this is true,
> >then a malicious person could theoretically get packets thru Kerio to any
port.
> >
> >Please read this link for details:
> >
> >http://linuxtoday.com/news_story.php3?ltsn=1999-08-02-021-10-SC
> >
> >Comments anyone?
>
> Does not happen here.
>
> Description: Other ICMP
>
> Protocol: ICMP
>
> Direction: Both
>
> Set ICMP...
>
> [0] Echo Reply, [3] Destination Unreachable, [4] Source Quench,
> [5] Redirect, [6] Alternate Host Address, [9] Router Advertisement,
> [10] Router Solicitation, [11] Time Exceeded, [12] Parameter Problem,
> [13] Timestamp, [14] Timestamp Reply, [15] Information Request,
> [16] Information Reply, [17] Address Mask Request,
> [18] Address Mask Reply, [30] Traceroute, [31] Datagram Conversion
Error,
> [32] Mobile Host Redirect, [33] IPv6 Where-Are-You, [34] IPv6
I-Am-Here,
> [35] Mobile Registration Request, [36] Mobile Registration Reply,
> [37] Domain Name Request, [38] Domain Name Reply, [39] SKIP,
> [40] Photuris, [xx] All ICMP Codes
>
> Remote endpoint Address type: Any address
>
> Rule valid: Always
>
> Action: Deny
>
> Log when this rule matches

If I block outgoing Echo Reply [0], by ISP closes down my (dialup)
connection.

Relevant Pages

  • Re: Am I being hacked?
    ... > incoming TCP packets are 'Allowed' on those ports. ... The term "stealth" is misleading. ... The online services that claim to test your firewall can be misleading ... but block normal ICMP echo requests. ...
    (comp.security.firewalls)
  • Re: Attack detection in Kerio PF
    ... The closest I get is seeing the arrow in my system tray icon ... >>indicates outgoing packets. ... Your firewall was blocking the outgoing packets. ... Kerio kept asking for permissions after I ...
    (comp.security.firewalls)
  • Re: Attack detection in Kerio PF
    ... The closest I get is seeing the arrow in my system tray icon ... >>indicates outgoing packets. ... Your firewall was blocking the outgoing packets. ... Kerio kept asking for permissions after I ...
    (comp.security.firewalls)
  • Re: merits of Reject vs. Drop
    ... ICMP DOS: ... The first thing that comes to mind is the possibility of a DOS attack on ... your firewall if an attacker can produce a large number of ICMP responses ... > I'm interested in comments on the merits of Rejecting packets vs. ...
    (comp.os.linux.security)
  • Re: Kerio 2.1.5 vulnerability
    ... > |> So it seems any packet with the fragment bit set goes straight through ... > |> the firewall, and kerio only logs plain SYN packets. ... Nice one Kerio. ...
    (comp.security.firewalls)