SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Kerio Personal Firewall Vendors:   Kerio Technologies
Kerio Personal Firewall Default Setting Lets Remote Users Send UDP Packets Through the Firewall
SecurityTracker Alert ID:  1006624
SecurityTracker URL:  http://securitytracker.com/id/1006624
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 22 2003
Impact:   Host/resource access via network
Exploit Included:  Yes  
Version(s): 2.1.4
Description:   A vulnerability was reported in the Kerio Personal Firewall. A remote user can send UDP packets through the firewall to the target host.

It is reported that the default rule set of the firewall will cause the firewall to accept any inbound UDP packet with a source port of 53. A remote user can send UDP packets through the firewall to the target host by setting the source port of the packets to 53.

A demonstration exploit using the nmap port scanning tool is provided:

nmap -v -P0 -sU -p 1900 [ip_address] -g 53

The vendor has reportedly been notified.

Impact:   A remote user can send UDP packets through the firewall to the target host.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.kerio.com/us/kpf_home.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] UDP bypassing in Kerio Firewall 2.1.4



Issue : UDP bypassing in Kerio Firewall

Affected product : Kerio Firewall 2.1.4 ( last build in his website )

Vendor status : vendor was contacted months ago

Tested Enviroment : switched LAN

Description :

Kerio develops a free firewall thats ships with default rules . Every
incoming / outgoing packet is compared against the default ruleset . As
the first rule accepts incoming packets if remote port is equal to 53 (
DNS ) the firewall can be easily bypassed just setting the source port of
the attack to 53
Exploit : nmap -v -P0 -sU -p 1900 192.168.0.5 -g 53

Recomendations : set a rule to restrict the local ports to a range of
1024-5000 for DNS connections

-- 
Regards ,

David F. Madrid
Madrid , Spain

www.nautopia.org


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC