lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200305090608.h4968VMi001846@mailserver1.hushmail.com>
From: netw3_security at hushmail.com (Curt Wilson)
Subject: Kerio firewall possible fragmentation issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Since the Kerio personal firewall is being picked on these days, I thought
I'd throw my two cents in. The firewall is free, so perhaps this is a
case of "you get what you pay for". Still, one expects firewall software
to perform at a certain level. In any case I found a potential issue,
 but I'm unable to reproduce it -  I didn't fully document all of the
conditions that were required for the issue to present itself (duh).

Basically, I was running the Kerio personal firewall on a Win2K pro box.
Firewall rules were in place to allow certain RFC1918 addresses access
to certain ports. All other source IP's were supposed to be dropped.
An nmap scan from the Internet through fragrouter indicated that the
ports were open. I checked my results at the time, and only those ports
that should have allowed local LAN access were reported as open. I may
have used nmap's fragmentation options, but for some reason I got distracted
and did not document the exact conditions and cannot reproduce. This
could be some type of fluke, but at the time it seemed lke a problem.
At the very least, there could be a problem in the way Kerio handles
packet fragmenation, posibly allowing fragmented exploits to walk right
through in certain cases.

I realize this is vague. I've since ditched Kerio and have not bothered
to follow up on this. I didn't really expect the fragrouter based attacks
to really accomplish anything, but I guess there are still uses for the
tool.

Curt R. Wilson
Netw3 Security
www.netw3.com
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmMEARECACMFAj67RPYcHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
aRH3K5hsAJ9KSh9UWCHv33mIAT+V/mQbamejXwCgvufU8xmjJJj38tGIHQCzLx3oNqc=
=ku28
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ