If Kerio returns a SYN ACK that's 2 thirds of the handshake completed,
but Hping2 doesn't send an ACK to complete the connection.
I installed OpenBSD on an old P133, but it couldn't find the network
card. When I get time to get it sorted I'll install fragrouter and
find out for sure.
<snip>
Just installed fragrouter on a third machine. To recap Kerio's
settings:
"Kerio was configured to Log Packets Addressed to Unopened Ports and
Log Suspicious Packets. Then I made a new rule to block ALL incoming
and outgoing TCP connections and moved it to the top of Kerio's rule
set. Then I made another rule to block ALL ICMP, and made it second
in the list. Both these rules were set to log and alert.
TYPSoft FTP Server Version 1.10 was used to open port 21."
Kerio's Microsoft Networking option was not used.
The Server and Workstation services are not running. No ports except
Kerio's 44334 and 21 are open.
All computers on the LAN are configured as stand alone machines, and
not trusted in any way.
Kerio accepted an ftp connection from a Linux console routed through a
fragrouter and let me log on to TYPSoft. (I knew the password of
course). TYPSoft logged this. CurrPorts confirmed that the connection
was established. When I tried to download a file TYPSoft crashed, so I
tried to upload a file but it crashed again.
Then I used netcat to open port 21 and spawn a shell on connection
(nc -L -p 21 -e cmd.exe). Kerio allowed me to connect with netcat but
showed an alert and logged the connection as blocked??? I was able to
access all the partitions, create and delete files, upload, download
and overwrite files, and run programs remotely.
This is how i see it for Kerio 2.1.5 users.
How would someone find Kerio 2.1.5 machines on the internet? They
could scan an IP address range, sending a fragmented SYN to port
44334, pipe the output to grep flags=SA, then redirect the output to
a text file. This file would contain a list of all the IP addresses in
that range that were running Kerio. Grim stuff!
Then maybe a protocol scan or straight to a port scan to identify any
services running. No services running? ICMP tunneling will get through
now and Hping2 can carry a payload.
Once running services are identified they can be connected to. They
might crash like TYPSoft ftp server or they might accept a connection
like netcat.
Am I safe behind a router? Spyware could check for persfw.exe and if
it finds it send out fragmented packets. Trojans could do the same.
Frankly I've gone right off Kerio at the moment. If they didn't know
about this vulnerability they should have. If they did they should of
announced it. Maybe they couldn't fix it til v4 came out and they
didn't want to withdraw 2.1.5? Who knows?
HiS