Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Kerio Personal Firewall Multiple IP Options DoS

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Kerio Personal Firewall Multiple IP Options DoS
Date: 11 Nov 2004 18:34:51 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Kerio Personal Firewall Multiple IP Options DoS
------------------------------------------------------------------------


SUMMARY

" <http://www.kerio.com/kpf_home.html> Kerio Personal Firewall (KPF) helps 
users control how their computers exchange data with other computers on 
the Internet or local network."

A machine running Kerio Personal Firewall can be rendered inoperable and 
frozen due to a single packet from a malicious party. Physical access is 
then required in order to secure control of the machine again.

DETAILS

Vulnerable Systems:
 * Kerio Personal Firewall version 4.1.1 and prior

Immune Systems:
 * Kerio Personal Firewall version 4.1.2

The DoS flaw exists within the low-level component that handles TCP, UDP 
and ICMP packets. The vulnerability exists in FWDRV.SYS when trying to 
parse through the IP Options in a TCP, UDP, or ICMP packet. When an 
attacker supplies a single TCP, UDP, or ICMP packet with an IP Option 
followed by a length of 0x00, the FWDRV.SYS driver enters an infinite loop 
and causes the operating system to "freeze up" to the point where it can 
no longer be accessed outside of the system itself nor can any part of the 
GUI be accessed including keyboard and mouse.

Note: The only way to bring the system back online is to hard boot the 
system which requires physical access.

The attacker only needs to send a single packet to any port on the system 
regardless of whether or not the port is open. This flaw is still 
accessible even if the firewall is set to "stop all traffic" because it 
still continues to process packets.

The vulnerable code maintains an offset into the IP option bytes, and 
attempts to advance past a variable-length option by adding its length to 
the offset. If the option's length field is zero, then this will result in 
an infinite loop and the machine halts completely. It should be noted that 
since there is not a state requirement for performing this attack, it is 
possible to spoof a TCP, UDP, or ICMP packet. This results in an 
attacker's ability to remain anonymous.

Vendor Status:
Kerio have fixed the vulnerability and have provided an updated version 
(4.1.2) available from their site at  
<http://www.kerio.com/kpf_download.html> 
http://www.kerio.com/kpf_download.html

Disclosure Timeline:
30-10-2004   Vulnerability reported
09-11-2004   Release date


ADDITIONAL INFORMATION

The information has been provided by  <mailto:mmaiffret@eeye.com> Marc 
Maiffret of eEye Digital Security.
The original article can be found at:  
<http://www.kerio.com/security_advisory.html> 
http://www.kerio.com/security_advisory.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Kerio Personal Firewall Multiple IP Options DoS, SecuriTeam <=
Previous by Date:  [EXPL] MiniShare GET Buffer Overflow, SecuriTeam
Next by Date:  [NEWS] Cisco IOS DHCP Blocked Interface DoS, SecuriTeam
Previous by Thread:  [EXPL] MiniShare GET Buffer Overflow, SecuriTeam
Next by Thread:  [NEWS] Cisco IOS DHCP Blocked Interface DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]