Kerio/Tiny Firewall Vulnerability

[Tiger Shark]

This came over BugTraq Yesterday afternoon. I know that several of you use Tiny firewall so I thought you might like to know. I left off the links to the exploit itself but the fixes/patches links are in the text.

Hello,

April 28, 2003, the CoreSecurity team publishes security advisory concerning 2 holes in Kiero Personal Firewall, of which one of both is Remote Buffer Overflow in the process of connection of the remote admin module.
Kiero Personal Firewall using PFEngine, an common firewall engine, it proves that the vulnerability is also present in Tiny Personal Firewall!
In the same time, every PFE firewall based products are vulnerable...

Today, the Thursday, May 8, 2003 6:27 PM, ThreaT (again@#!) from Skin Of Humanity Group released the exploit and the UNOFFICIAL patch for Kerio Personal Firewall version 2.1.4.0 (and previous versions) and Tiny Personal Firewall version 2.0.15.0.

Please enjoy sources of the patch at : http://www.s0h.cc/~threat/goodies/PF...es_PFpatch.zip

To correct this problem on your personnal firewall use this address : http://www.s0h.cc/~threat/goodies/PFpatch/PFpatch.exe

[t2k2]

I just mentioned this to one of my cohorts and we noticed that it isn't verified. There is nothing even mentioned on the Kerio site. Maybe they are investigating it as we speak to see if it's valid????


Thanks.

[Tiger Shark]

Er... Yeah..... This line was towards the end of the whole mail:-

Sight that Kiero did not want to answer the CoreSecurity request, we did not inform Kerio. i think they do not understood what it passed. (no offence).

I'm not sure what he is trying to say here since his english is a little questionable. There were more than one group investigating this so it may mean that CoreSecurity informed them of one of the holes and that Kerio did not understand the vulnerability so that they haven't informed them of the second.

That's my take on it anyway.......

As always, be careful if you D/L the patch. You might want a packet sniffer on a test box to see what happens before you run it in production.

[t2k2]

Yeah, I was thinkof d/ling the patch and looking at the source code if possible. Anyways, thanks for the post.

[foyap]

I am using Kerio PF 3.0 beta 6, would like to know whether it was affected as what has been mentioned in the article. Version 3.0 is totally different with version 2.0 as it is more powerful, below is the link to the download page:

http://www.kerio.com/us/beta_section.html

[Lebb]

have you thought of filing the holes yourself with hacks, though only a decent programmer could do that.

[journy101]

Ive been useing Kerio Version 2 for alittle over a year now, thank you for the information and links. I visited the links, without blindly downloading patches I moved back a directory first to see what it was all about. I am going to wait a while to see Kerio's responce to this before I patch. I am always on edge with unoficial patches. But thanks so much.

[pak]

I recieved that alert along with another that stated packets with a source port of 53 comes through the firewall without going against the ruleset. Details can be read at http://www.securityfocus.com/bid/7436/discussion/

[Tim_axe]

Thanks for the heads-up. I run TinyPersonal Firewall so this is important to me.

From what I've found out, it is a problem with remote administration, and one of the issues is some sort of a replay attack. Basicly, if someone captures the packets you send to the firewall to enable/disable some rules, then that person will be able to disable/enable those rules in the future by resending those packets. The other is a buffer overflow (as TigerShark mentioned). As long as you have remote-administration turned off, you shouldn't be affected by these vulnerabilities. I run Tiny on my home PC, so I don't need any remote-administration of my firewall. Anyways, thanks for this information.

-Tim_axe

[SirDice]

Found this:

http://www.packetstormsecurity.nl/fi...Exploit.c.html