![]() The company offers information security software and services designed to assess risk and protect and manage information assets. About Core SecurityĬore Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. 1800 bytes) to insert a shell code.įd = socket.socket(socket.AF_INET, socket.SOCK_STREAM) Note that there is enough space in the buffer (approx. The following proof of concept Python script will make the program jump to address 0x41414141. It is important to note that these packets are accepted by the personal firewall before authentication of the administrator takes place. No boundary checks exist at the firewall side for processing this data, and the recv() reads the 4 bytes and then attempts to read the amount of data indicated by the 4 bytes to a buffer on the stack.Īs a result an attacker connecting to the administration port on the personal firewall can construct a packet sequence that will overflow the buffer on the stack, allowing her to execute arbitrary code on the machine running the personal firewall. The 4th packet of the handshake (the first packet sent by the administrator) is a 4 byte packet data, with a fixed number of 0x40 (64) indicating the size of the following packet expected to contain the administrator's key. When Administrator connects to the firewall a handshake occurs in order to establish an encrypted session. The commands replayed can include enabling/disabling the firewall, adding firewall rules, etc.Ī remotely exploitable buffer overflow exists in the administrator authentication process. This shows that in fact no randomization or serialization is used on the 'server' side 'S', and thus there is no way for Kerio to ensure that the session is new and not a replay of an old one.Īs a result, an attacker with access to an encrypted administration session can record the session and replay it to the server at a later time to reissue the administration commands to the personal firewall. This led us to try replaying an administration session as a whole, with the unexpected result that it was deemed valid by 'S'. It was noted from analyzing these sessions that the first differences between different sessions come from the administrator's workstation 'C'. The last 64 bytes of this packet are read from the file 'persfw.key' on the Kerio installation directory. (The session continues with commands and responses) > 128 bytes (Everything is 0ed except the last 4 bytes > 128 bytes (the initial 64 bytes are 0 and the last If 'S' is the workstation running Kerio personal firewall and 'C' is the administrator workstation, the following scheme shows the initial key exchange and authentication packets for a remote administration session: ![]() ![]() As a result of a design problem in the authentication mechanism for remote administration, it is possible to replay a previously captured administration session. We found two security vulnerabilities in Kerio PF's remote administration system.Ī replay attack is possible against the authenticated/encrypted remote administration channel. Technical Description - Exploit/Concept Code: These vulnerabilities were found by Emiliano Kargieman, Hernán Gips and Javier Burroni from Core Security Technologies during Bugweek 2003 (March 3-7, 2003). Workaround: disable the remote administration feature. Kerio Personal Firewall version 2.1.4 and previous versions.Ĭontact the vendor for a fix. A design problem in the authentication mechanism for remote administration allows an attacker to replay captured packets from a valid remote administration session in order to reproduce the administrator's directives to the personal firewall.įor example if the attacker is able to sniff a valid session in which the administrator disabled the firewall capabilities, then the attacker will gain the ability to disable the personal firewall at will at any time in the future.Ī remotely exploitable buffer overflow exists in the administrator authentication process. We found two security vulnerabilities in KPF's remote administration system:Ī replay attack is possible against the authenticated/encrypted channel for remote administration. Kerio Personal Firewall (KPF) is a firewall for workstations designed to protect them against attacks from the Internet and the local network. We sent notifications mails to the following addresses:, ,, several times during March and April (,, , ) and never received an answer from Kerio. Title: Kerio Personal Firewall Replay Attack and Buffer OverflowĬlass: Design Error Boundary Error Condition (Buffer Overflow)
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |