The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[NT] Kerio Firewall FWDRV Driver Local DoS


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 20 Oct 2005 19:16:09 +0200
Subject: [NT] Kerio Firewall FWDRV Driver Local DoS
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051020172809.89DC857F2@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
X-Spam-Status: No, hits=2.06 tagged_above=2 required=5 tests=AWL, INFO_TLD,
 MSGID_FROM_MTA_ID
X-Spam-Level: **

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Kerio Firewall FWDRV Driver Local DoS
------------------------------------------------------------------------


SUMMARY

" <http://www.kerio.com/>; Kerio Personal Firewall represents smart, 
easy-to-use personal security technology that fully protects personal 
computers against hackers and internal misuse"

"Kerio ServerFirewall offers IT and security administrators a powerful and 
easy-to-use tool to protect their server systems from worms, 
buffer-overflow and other internet security threats."

Lack of proper permissions validation allow local attackers to cause the 
Kerio Firewall to crash.

DETAILS

Vulnerable Systems:
 * Kerio Personal Firewall version 4.2.0
 * Kerio Server Firewall version 1.1.1

FWDRV driver (core part of the firewall system) monitors all programs that 
are trying to connect to the Internet. While doing necessary checks, FWDRV 
parses the Process Environment Block (PEB) like the code shows:

text:0041C04E  mov     ecx, [ebp+var_4]  ; ECX = PEB base
text:0041C051  mov     edx, [ecx+0Ch]    ; EDX = PEB_LDR_DATA

However while parsing the PEB FWDRV doesn't check if the memory with 
Process Environment Block is accessible. It means that if attacker will 
set PAGE_NOACCESS or PAGE_GUARD protection to the PEB block the FWDRV will 
cause an fatal exception and the machine will crash.

Example:
Executing connect api function with previously PAGE_NOACCESS protection 
set to Process Environment Block will cause an local machine crash.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:bania.piotr@gmail.com.> Piotr 
Bania.
The original article can be found at:  
<http://pb.specialised.info/all/adv/kerio-fwdrv-dos-adv.txt>; 
http://pb.specialised.info/all/adv/kerio-fwdrv-dos-adv.txt




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру