Kerio/Tiny Firewall Vulnerability
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Kerio/Tiny Firewall Vulnerability

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Kerio/Tiny Firewall Vulnerability

    This came over BugTraq Yesterday afternoon. I know that several of you use Tiny firewall so I thought you might like to know. I left off the links to the exploit itself but the fixes/patches links are in the text.

    Hello,

    April 28, 2003, the CoreSecurity team publishes security advisory concerning 2 holes in Kiero Personal Firewall, of which one of both is Remote Buffer Overflow in the process of connection of the remote admin module.
    Kiero Personal Firewall using PFEngine, an common firewall engine, it proves that the vulnerability is also present in Tiny Personal Firewall!
    In the same time, every PFE firewall based products are vulnerable...

    Today, the Thursday, May 8, 2003 6:27 PM, ThreaT (again@#!) from Skin Of Humanity Group released the exploit and the UNOFFICIAL patch for Kerio Personal Firewall version 2.1.4.0 (and previous versions) and Tiny Personal Firewall version 2.0.15.0.

    Please enjoy sources of the patch at : http://www.s0h.cc/~threat/goodies/PF...es_PFpatch.zip

    To correct this problem on your personnal firewall use this address : http://www.s0h.cc/~threat/goodies/PFpatch/PFpatch.exe
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    I just mentioned this to one of my cohorts and we noticed that it isn't verified. There is nothing even mentioned on the Kerio site. Maybe they are investigating it as we speak to see if it's valid????


    Thanks.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Er... Yeah..... This line was towards the end of the whole mail:-

    Sight that Kiero did not want to answer the CoreSecurity request, we did not inform Kerio. i think they do not understood what it passed. (no offence).
    I'm not sure what he is trying to say here since his english is a little questionable. There were more than one group investigating this so it may mean that CoreSecurity informed them of one of the holes and that Kerio did not understand the vulnerability so that they haven't informed them of the second.

    That's my take on it anyway.......

    As always, be careful if you D/L the patch. You might want a packet sniffer on a test box to see what happens before you run it in production.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Yeah, I was thinkof d/ling the patch and looking at the source code if possible. Anyways, thanks for the post.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  5. #5
    Junior Member
    Join Date
    Apr 2003
    Posts
    9
    I am using Kerio PF 3.0 beta 6, would like to know whether it was affected as what has been mentioned in the article. Version 3.0 is totally different with version 2.0 as it is more powerful, below is the link to the download page:

    http://www.kerio.com/us/beta_section.html

  6. #6
    Banned
    Join Date
    Apr 2003
    Posts
    54

    Question PF hacks

    have you thought of filing the holes yourself with hacks, though only a decent programmer could do that.

  7. #7
    Senior Member
    Join Date
    Feb 2003
    Posts
    282
    Ive been useing Kerio Version 2 for alittle over a year now, thank you for the information and links. I visited the links, without blindly downloading patches I moved back a directory first to see what it was all about. I am going to wait a while to see Kerio's responce to this before I patch. I am always on edge with unoficial patches. But thanks so much.

  8. #8
    Member
    Join Date
    Dec 2002
    Posts
    63

    Another Kerio vuln.

    I recieved that alert along with another that stated packets with a source port of 53 comes through the firewall without going against the ruleset. Details can be read at http://www.securityfocus.com/bid/7436/discussion/
    $pak = me;

  9. #9
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Thanks for the heads-up. I run TinyPersonal Firewall so this is important to me.

    From what I've found out, it is a problem with remote administration, and one of the issues is some sort of a replay attack. Basicly, if someone captures the packets you send to the firewall to enable/disable some rules, then that person will be able to disable/enable those rules in the future by resending those packets. The other is a buffer overflow (as TigerShark mentioned). As long as you have remote-administration turned off, you shouldn't be affected by these vulnerabilities. I run Tiny on my home PC, so I don't need any remote-administration of my firewall. Anyways, thanks for this information.

    -Tim_axe

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •