Kerio 2.1.5 vulnerability
From: Hassan I Sahba (me_at_privacy.net)
Date: Sat, 06 Nov 2004 00:39:02 +0000
Crosposted to: comp.security.firewalls and alt.comp.freeware
Awhile ago in comp.security.firewalls a poster called Kerodo posted
which contains a link to this 1999 advisory:
Linux ipchains Firewall Vulnerability
which I believe was based on this 1998 paper:
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
As I used Kerio I put it in the 2do list as something to play with,
and recently got round to checking it out.
I went to the grc Shields UP site and passed their scan with all ports
"stealthed". They then told me "From the standpoint of the passing
probes of any hacker, this machine does not exist on the Internet."
Kerio was configured to Log Packets Addressed to Unopened Ports and
Log Suspicious Packets. Then I made a new rule to block ALL incoming
and outgoing TCP connections and moved it to the top of Kerio's rule
set. Then I made another rule to block ALL ICMP, and made it second
in the list. Both these rules were set to log and alert.
TYPSoft FTP Server Version 1.10 was used to open port 21.
All the following packets are TCP sent by hping2 on Linux to an XPpro
(SP2) machine running Kerio 2.1.5.
When sending a SYN to an open or closed port I got no reply. Kerio
logged it and showed an alert. Kerio's red (traffic denied) arrow
flashed in systray.
This is the only good result here.
When I sent a FIN, ACK or RST to an open or closed port I got no
reply. Kerio did not log it. or show an alert. The green (traffic
allowed) arrow flashed.
I can understand Kerio not logging this but not why it was allowed.
When I sent a PUSH or an URG to an open or closed port I received a
RST, ACK in reply. Kerio did not log it or show an alert. The green
arrow flashed. Ethereal logged the return packet as a [Tcp Zero
A return packet. There goes "stealth" out the window. This clearly
shows there is a machine behind the firewall.
When I sent a SYN with the fragment bit set to a closed port I got a
RST, ACK (port closed) back. Kerio did not log it or show an alert.
The green (traffic allowed) arrow flashed.
It's getting worse!!
When I sent a SYN with the fragment bit set to an open port (21) I got
a SYN, ACK (connection accepted) back. Kerio did not log it or show an
alert. The green (traffic allowed) arrow flashed. The ftp server
logged the attempted connection and asked for a user name. Then I
tried again with netcat listening on 21, and netcat saw the incoming
packet and returned a SYN, ACK.
Aaaaarrrggghh!!!!!!!! An accepted connection through the firewall.
All our Kerio's are belong to them :'-(
I had planned to try ICMP packets next, but what's the point?
So it seems any packet with the fragment bit set goes straight through
the firewall, and kerio only logs plain SYN packets.
This vulnerability is nearly 7 YEARS OLD, so there must be people
exploiting it by now. Nice one Kerio. How long have they known this?
Do they not try and enumerate their own firewall?
If they didn't know they are fools and I can no longer trust them.
If they did know and didn't withdraw Kerio I can no longer trust them.
The above may seem complicated to some but this is basic scanning, and
I'm no expert. One day I finally got round to setting up a Linux box,
the next day I played with Hping2 and found this, yet I found nothing
on Google describing this. Surprising to say the least.
So what next I thought. ZoneAlarm of course. I got
zls-free-Setup51033000.exe and installed it. I had to clean kerio
from the registry by hand first as it didn't uninstall cleanly.
ZoneAlarm wasn't vulnerable (but I don't like it). Next I tried Kerio
4.1.1. Not vulnerable (but my trust is gone).
With info from the above links and a little knowledge of Kerio it's
easy to locate and connect to Kerio 2.1.5 boxes.
What next? It's format and reinstall windows for me.