SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Kerio Personal Firewall Vendors:   Sunbelt Software
Sunbelt Kerio Personal Firewall Input Validation Flaws in Hooked System Calls Let Local Users Deny Service
SecurityTracker Alert ID:  1016967
SecurityTracker URL:  http://securitytracker.com/id/1016967
CVE Reference:   CVE-2006-5153   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Oct 2 2006
Impact:   Denial of service via local system
Exploit Included:  Yes  
Version(s): 4.3.268 and prior versions
Description:   David Matousek reported a vulnerability in Sunbelt Kerio Personal Firewall. A local user can cause denial of service conditions.

The software does not properly validate user-supplied inputs in several hooked system calls, including the NtCreateFile, NtDeleteFile, NtLoadDriver, NtMapViewOfSection, NtOpenFile, and NtSetInformationFile calls. A local user can supply specially crafted data to trigger errors in the fwdrv.sys and khips.sys drivers and cause the system to crash.

The original advisory is available at:

http://www.matousec.com/info/advisories/Kerio-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php

David Matousek discovered this vulnerability.

Impact:   A local user can cause denial of service conditions on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.sunbelt-software.com/Kerio.cfm (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Kerio Multiple insufficient argument validation of hooked SSDT function

Hello,

I would like to inform you about a vulnerability in Sunbelt Kerio Personal Firewall.


Description:

Sunbelt Kerio Personal Firewall hooks many functions in SSDT and in at least six cases it fails to validate arguments 
that come from user mode. User calls to NtCreateFile, NtDeleteFile, NtLoadDriver, NtMapViewOfSection, NtOpenFile, 
NtSetInformationFile with invalid argument values can cause system crashes because of errors in Kerio drivers fwdrv.sys 
and khips.sys. Further impacts of this bug (like arbitrary code execution in the kernel mode) were not examined.


Vulnerable software:

     * Sunbelt Kerio Personal Firewall 4.3.268
     * Sunbelt Kerio Personal Firewall 4.3.246
     * Sunbelt Kerio Personal Firewall 4.2.3.912
     * probably all versions of Sunbelt Kerio Personal Firewall 4
     * possibly older versions of Sunbelt Kerio Personal Firewall



More details and a proof of concept including source code is available here: 
http://www.matousec.com/info/advisories/Kerio-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php

Regards,


-- 
David Matousek

Founder and Chief Representative of Matousec - Transparent security
http://www.matousec.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC