Kerio 2.1.5 vulnerability

[mhicaoidh]

Taking a moment's reflection, Hassan I Sahba mused:
|
| You can check it with the ping command. If you allow all ICMP and ping
| someone the green arrow flashes. If you deny all ICMP and ping someone
| the red arrow flashes.

Granted, turning off the tray animation was one of the first things I
did with my Kerio installs. I just assumed it was like Sygate and ZA in
that regard.

| If it was green for inbound and red for outbound both arrows would
| flash as you sent a request and received a reply.

Upon further review, it appears I was mistaken. ;-)

 

[Angus Rodgers]

Taking a moment's reflection, Hassan I Sahba mused:
|
| You can check it with the ping command. If you allow all ICMP and ping
| someone the green arrow flashes. If you deny all ICMP and ping someone
| the red arrow flashes.

Granted, turning off the tray animation was one of the first things I
did with my Kerio installs. I just assumed it was like Sygate and ZA in
that regard.

| If it was green for inbound and red for outbound both arrows would
| flash as you sent a request and received a reply.

Upon further review, it appears I was mistaken. ;-)

Just to add to the confusion, the manual for Kerio Personal
Firewall 4.1 states (page 17 of file kpf41-en-v1.pdf):

"The Kerio Personal Firewall icon also represents network
activity of the computer on which the firewall is installed.
Network traffic is represented by little colored bars at the
bottom of the icon:

• green bar — outgoing traffic
• red bar — incoming traffic"

The same colour coding is used by the pop-up Connection
Alert windows (page2 28--29 of the manual).

(Incidentally, 4.1.2 is driving me mad. I liked 2.1.5. Wah!)

 

[Kerodo]

Just to add to the confusion, the manual for Kerio Personal
Firewall 4.1 states (page 17 of file kpf41-en-v1.pdf):

"The Kerio Personal Firewall icon also represents network
activity of the computer on which the firewall is installed.
Network traffic is represented by little colored bars at the
bottom of the icon:

? green bar ? outgoing traffic
? red bar ? incoming traffic"

It's possible that 4.xx is different than 2.xx.

(Incidentally, 4.1.2 is driving me mad. I liked 2.1.5. Wah!)

4.1.2 is a little weird compared to 2.1.5. The logging sucks in 4.1.2.
I'm using it now as a kind of ZoneAlarm, with no rules at all. It's not
too bad, except the duplicate logging is silly and annoying. Maybe
they'll fix that by 2006.

 

[POKO]

It's possible that 4.xx is different than 2.xx.
=20

4.1.2 is a little weird compared to 2.1.5. The logging sucks in 4.1.2. =20
I'm using it now as a kind of ZoneAlarm, with no rules at all. It's not=20
too bad, except the duplicate logging is silly and annoying. Maybe=20
they'll fix that by 2006.
=20

--=20
Kerodo

Kerodo,
Interesting thread. Just to go back, which freeware firewall would you
recommend with respect ease of use? I began with ZoneAlarm and converted
to Kerio - now using 2.1.5
POKO
--
P. Keenan - Webmaster
Web Page Design
Manitoulin Island, Canada
http://manitoulinislandwebdesign.it-mate.co.uk/
(e-mail address removed)

 

[Kerodo]

Kerodo,
Interesting thread. Just to go back, which freeware firewall would you
recommend with respect ease of use? I began with ZoneAlarm and converted
to Kerio - now using 2.1.5

It doesn't get much easier than ZoneAlarm I would think. It's hard to
recommend any particular firewall. It's best to try them and decide for
yourself. Kerio 2.1.5 was one of my favorites, but it does have some
vulnerabilities, so I've chosen to use others. Outpost Pro is another
one I like. I also like VisNetic, but both those are not free.

 

[Hassan I Sahba]

If Kerio returns a SYN ACK that's 2 thirds of the handshake completed,
but Hping2 doesn't send an ACK to complete the connection.
I installed OpenBSD on an old P133, but it couldn't find the network
card. When I get time to get it sorted I'll install fragrouter and
find out for sure.

<snip>

Just installed fragrouter on a third machine. To recap Kerio's
settings:
"Kerio was configured to Log Packets Addressed to Unopened Ports and
Log Suspicious Packets. Then I made a new rule to block ALL incoming
and outgoing TCP connections and moved it to the top of Kerio's rule
set. Then I made another rule to block ALL ICMP, and made it second
in the list. Both these rules were set to log and alert.
TYPSoft FTP Server Version 1.10 was used to open port 21."
Kerio's Microsoft Networking option was not used.
The Server and Workstation services are not running. No ports except
Kerio's 44334 and 21 are open.
All computers on the LAN are configured as stand alone machines, and
not trusted in any way.

Kerio accepted an ftp connection from a Linux console routed through a
fragrouter and let me log on to TYPSoft. (I knew the password of
course). TYPSoft logged this. CurrPorts confirmed that the connection
was established. When I tried to download a file TYPSoft crashed, so I
tried to upload a file but it crashed again.

Then I used netcat to open port 21 and spawn a shell on connection
(nc -L -p 21 -e cmd.exe). Kerio allowed me to connect with netcat but
showed an alert and logged the connection as blocked??? I was able to
access all the partitions, create and delete files, upload, download
and overwrite files, and run programs remotely.

This is how i see it for Kerio 2.1.5 users.
How would someone find Kerio 2.1.5 machines on the internet? They
could scan an IP address range, sending a fragmented SYN to port
44334, pipe the output to grep flags=SA, then redirect the output to
a text file. This file would contain a list of all the IP addresses in
that range that were running Kerio. Grim stuff!
Then maybe a protocol scan or straight to a port scan to identify any
services running. No services running? ICMP tunneling will get through
now and Hping2 can carry a payload.
Once running services are identified they can be connected to. They
might crash like TYPSoft ftp server or they might accept a connection
like netcat.
Am I safe behind a router? Spyware could check for persfw.exe and if
it finds it send out fragmented packets. Trojans could do the same.

Frankly I've gone right off Kerio at the moment. If they didn't know
about this vulnerability they should have. If they did they should of
announced it. Maybe they couldn't fix it til v4 came out and they
didn't want to withdraw 2.1.5? Who knows?

HiS

 

[Hassan I Sahba]

<snip>

I just tried netcat on tiny firewall with the same results.

HiS

 

[JP Loken]

<snip>

I just tried netcat on tiny firewall with the same results.

HiS

Thank you for sharing your extensive work on this.