[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200305090608.h4968VMi001846@mailserver1.hushmail.com>
From: netw3_security at hushmail.com (Curt Wilson)
Subject: Kerio firewall possible fragmentation issue
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Since the Kerio personal firewall is being picked on these days, I thought
I'd throw my two cents in. The firewall is free, so perhaps this is a
case of "you get what you pay for". Still, one expects firewall software
to perform at a certain level. In any case I found a potential issue,
but I'm unable to reproduce it - I didn't fully document all of the
conditions that were required for the issue to present itself (duh).
Basically, I was running the Kerio personal firewall on a Win2K pro box.
Firewall rules were in place to allow certain RFC1918 addresses access
to certain ports. All other source IP's were supposed to be dropped.
An nmap scan from the Internet through fragrouter indicated that the
ports were open. I checked my results at the time, and only those ports
that should have allowed local LAN access were reported as open. I may
have used nmap's fragmentation options, but for some reason I got distracted
and did not document the exact conditions and cannot reproduce. This
could be some type of fluke, but at the time it seemed lke a problem.
At the very least, there could be a problem in the way Kerio handles
packet fragmenation, posibly allowing fragmented exploits to walk right
through in certain cases.
I realize this is vague. I've since ditched Kerio and have not bothered
to follow up on this. I didn't really expect the fragrouter based attacks
to really accomplish anything, but I guess there are still uses for the
tool.
Curt R. Wilson
Netw3 Security
www.netw3.com
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wmMEARECACMFAj67RPYcHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
aRH3K5hsAJ9KSh9UWCHv33mIAT+V/mQbamejXwCgvufU8xmjJJj38tGIHQCzLx3oNqc=
=ku28
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists