[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <434E5E70.8090203@gmail.com>
Date: Thu, 13 Oct 2005 15:17:36 +0200
From: Piotr Bania <bania.piotr@...il.com>
To: SBUGTRAQ <bugtraq@...urityfocus.com>,
FULLDISC <full-disclosure@...ts.grok.org.uk>,
vuln@...unia.com, dailydave@...ts.immunitysec.com
Subject: Kerio Personal Firewall and Kerio Server Firewall
FWDRV driver Local Denial of Service
Kerio Technologies Kerio Personal Firewall and Kerio Server
Firewall FWDRV driver
Local denial of service
by Piotr Bania <bania.piotr@...il.com>
http://pb.specialised.info
Original location:
http://pb.specialised.info/all/adv/kerio-fwdrv-dos-adv.txt
Severity: Low (local machine denial of service -
BSOD)
Software affected: Tested on Kerio Personal Firewall 4
(4.2.0) and KerioServerFirewall
version 1.1.1, however it is highly
possible that earlier versions
are also vulnerable.
I. BACKGROUND
From kerio.com website:
"Kerio Personal Firewall represents smart, easy-to-use personal
security technology that fully protects personal computers
against hackers and internal misuse"
"Kerio ServerFirewall offers IT and security administrators a
powerful and easy-to-use tool to protect their server systems
from worms, buffer-overflow and other internet security
threats."
II. DESCRIPTION
FWDRV driver (core part of the firewall system) monitors all
programs that are trying to connect to the internet. While doing
necessary checks, FWDRV parses the Process Environment Block
(PEB) like the code shows:
;----------SNIP--------------------------------------------
.text:0041C04E mov ecx, [ebp+var_4] ; ECX = PEB base
.text:0041C051 mov edx, [ecx+0Ch] ; EDX = PEB_LDR_DATA
;----------SNIP--------------------------------------------
However while parsing the PEB FWDRV doesn't check if the memory
with Process Environment Block is accessible. It means that if
attacker will set PAGE_NOACCESS or PAGE_GUARD protection to the
PEB block the FWDRV will cause an fatal exception and the
machine will crash.
III. IMPACT
Sample scenario:
Executing connect api function with previously PAGE_NOACCESS
protection set to Process Environment Block will cause an local
machine crash.
IV. POC CODE
Sample POC code was released to vendor.
best regards,
Piotr Bania
--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@...il.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info - Key ID: 0xBE43AC33
--------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists