Kerio 2.1.5 vulnerability

Crosposted to: comp.security.firewalls and alt.comp.freeware

Awhile ago in comp.security.firewalls a poster called Kerodo posted
this article:

http://makeashorterlink.com/?Z42A146B9

which contains a link to this 1999 advisory:

Linux ipchains Firewall Vulnerability
http://linuxtoday.com/news_story.php3?ltsn=1999-08-02-021-10 -SC

which I believe was based on this 1998 paper:

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
Detection
http://www.snort.org/docs/idspaper/

As I used Kerio I put it in the 2do list as something to play with,
and recently got round to checking it out.

I went to the grc Shields UP site and passed their scan with all ports
"stealthed". They then told me "From the standpoint of the passing
probes of any hacker, this machine does not exist on the Internet."

Kerio was configured to Log Packets Addressed to Unopened Ports and
Log Suspicious Packets. Then I made a new rule to block ALL incoming
and outgoing TCP connections and moved it to the top of Kerio's rule
set. Then I made another rule to block ALL ICMP, and made it second
in the list. Both these rules were set to log and alert.
TYPSoft FTP Server Version 1.10 was used to open port 21.

All the following packets are TCP sent by hping2 on Linux to an XPpro
(SP2) machine running Kerio 2.1.5.

When sending a SYN to an open or closed port I got no reply. Kerio
logged it and showed an alert. Kerio's red (traffic denied) arrow
flashed in systray.
This is the only good result here.

When I sent a FIN, ACK or RST to an open or closed port I got no
reply. Kerio did not log it. or show an alert. The green (traffic
allowed) arrow flashed.
I can understand Kerio not logging this but not why it was allowed.

When I sent a PUSH or an URG to an open or closed port I received a
RST, ACK in reply. Kerio did not log it or show an alert. The green
arrow flashed. Ethereal logged the return packet as a [Tcp Zero
Window] segment.
A return packet. There goes "stealth" out the window. This clearly
shows there is a machine behind the firewall.

When I sent a SYN with the fragment bit set to a closed port I got a
RST, ACK (port closed) back. Kerio did not log it or show an alert.
The green (traffic allowed) arrow flashed.
It's getting worse!!

When I sent a SYN with the fragment bit set to an open port (21) I got
a SYN, ACK (connection accepted) back. Kerio did not log it or show an
alert. The green (traffic allowed) arrow flashed. The ftp server
logged the attempted connection and asked for a user name. Then I
tried again with netcat listening on 21, and netcat saw the incoming
packet and returned a SYN, ACK.
Aaaaarrrggghh!!!!!!!! An accepted connection through the firewall.
All our Kerio's are belong to them :'-(

I had planned to try ICMP packets next, but what's the point?

So it seems any packet with the fragment bit set goes straight through
the firewall, and kerio only logs plain SYN packets.
This vulnerability is nearly 7 YEARS OLD, so there must be people
exploiting it by now. Nice one Kerio. How long have they known this?
Do they not try and enumerate their own firewall?
If they didn't know they are fools and I can no longer trust them.
If they did know and didn't withdraw Kerio I can no longer trust them.

The above may seem complicated to some but this is basic scanning, and
I'm no expert. One day I finally got round to setting up a Linux box,
the next day I played with Hping2 and found this, yet I found nothing
on Google describing this. Surprising to say the least.

So what next I thought. ZoneAlarm of course. I got
zls-free-Setup51033000.exe and installed it. I had to clean kerio
from the registry by hand first as it didn't uninstall cleanly.
ZoneAlarm wasn't vulnerable (but I don't like it). Next I tried Kerio
4.1.1. Not vulnerable (but my trust is gone).

With info from the above links and a little knowledge of Kerio it's
easy to locate and connect to Kerio 2.1.5 boxes.
What next? It's format and reinstall windows for me.

HiS

Re: Kerio 2.1.5 vulnerability

In article , me@privacy.net
says...
> So it seems any packet with the fragment bit set goes straight through
> the firewall, and kerio only logs plain SYN packets.
> This vulnerability is nearly 7 YEARS OLD, so there must be people
> exploiting it by now. Nice one Kerio. How long have they known this?
> Do they not try and enumerate their own firewall?
> If they didn't know they are fools and I can no longer trust them.
> If they did know and didn't withdraw Kerio I can no longer trust them.

I am the one who originally wrote about the fragmented packet
vulnerability. I noticed it here many months ago, and have never been
able to get anyone else to listen or verify it. I will not use Kerio
2.1.5 any more because of this problem. It's clear to me that Kerio
2.1.5 does NOT handle fragmented packets properly, and that they DO get
in thru the firewall.

The only reason why I noticed it is because the Messenger spammers are
using this exploit to get spam packets thru firewalls that don't handle
fragmented packets properly. They typically come in with a fragmented
packet to port 1026. In Kerio 2, you will see an outbound ICMP type 3
as a result of the inbound packet getting thru.

At any rate, what you are seeing there is true. I have verified it here
many times.

>
> So what next I thought. ZoneAlarm of course. I got
> zls-free-Setup51033000.exe and installed it. I had to clean kerio
> from the registry by hand first as it didn't uninstall cleanly.
> ZoneAlarm wasn't vulnerable (but I don't like it). Next I tried Kerio
> 4.1.1. Not vulnerable (but my trust is gone).

Strangely enough, Kerio 4.x.x does NOT have the same problem. I'm using
Kerio 4.1.2 right now with my Kerio 2 rule set without any problems,
other than poor logging. I believe they re-wrote Kerio 4 from scratch
so it does not have the fragmented packet processing problem that Kerio
2 does. Or if it is based on Kerio 2, then they fixed the problem.
I've tested it quite a bit.

> With info from the above links and a little knowledge of Kerio it's
> easy to locate and connect to Kerio 2.1.5 boxes.
> What next? It's format and reinstall windows for me.
>
> HiS

Kerio 2.1.5 (and earlier) is the only firewall I've found that has
problems with fragmented packets, and I've tried MANY others and
checked. I think you can probably trust most of the others, including
Sygate, ZoneAlarm, VisNetic, Outpost, Jetico and so on..

Until I discovered that problem, Kerio 2.1.5 was my favorite firewall.
I hated parting with it. I have not seen any harmful exploits of this
vulnerability yet, and I doubt that most people would anyway, but it
bothers me enough to discontinue it's use and switch to something more
secure.

--
Kerodo

Re: Kerio 2.1.5 vulnerability

On Fri, 5 Nov 2004 16:59:01 -0800, Kerodo
wrote:

>In article , me@privacy.net
>says...
>> So it seems any packet with the fragment bit set goes straight through
>> the firewall, and kerio only logs plain SYN packets.
>> This vulnerability is nearly 7 YEARS OLD, so there must be people
>> exploiting it by now. Nice one Kerio. How long have they known this?
>> Do they not try and enumerate their own firewall?
>> If they didn't know they are fools and I can no longer trust them.
>> If they did know and didn't withdraw Kerio I can no longer trust them.
>
>I am the one who originally wrote about the fragmented packet
>vulnerability. I noticed it here many months ago, and have never been
>able to get anyone else to listen or verify it. I will not use Kerio
>2.1.5 any more because of this problem. It's clear to me that Kerio
>2.1.5 does NOT handle fragmented packets properly, and that they DO get
>in thru the firewall.

I remember :-) Does anyone else here use Kerio 2.1.5 on a LAN? If
more people confirm this more people will listen. Here's the links for
Hping2 if any ones interested:
Linux: http://www.hping.org/hping2.0.0-rc3.tar.gz
Win32: http://wiki.hping.org/uploadedfiles/86/hping2.1-rc2-win32.zi p
(Requires WinPCap and Cygwin1.dll)
Mac: http://www.hping.org/macosx/hping2-macosx-rc2-bin

>The only reason why I noticed it is because the Messenger spammers are
>using this exploit to get spam packets thru firewalls that don't handle
>fragmented packets properly. They typically come in with a fragmented
>packet to port 1026. In Kerio 2, you will see an outbound ICMP type 3
>as a result of the inbound packet getting thru.

Interesting. Do you have any Ethereal logs of these packets?
I get a few UDP's to 1026 and used to see outbound ICMP type 3 using
2.1.5 but they all went to my DNS server as far as I can remember.

I have a rule to alert on inbound 1026 to remind me I am still online
(dial-up). :-)

>At any rate, what you are seeing there is true. I have verified it here
>many times.
>
>>
>> So what next I thought. ZoneAlarm of course. I got
>> zls-free-Setup51033000.exe and installed it. I had to clean kerio
>> from the registry by hand first as it didn't uninstall cleanly.
>> ZoneAlarm wasn't vulnerable (but I don't like it). Next I tried Kerio
>> 4.1.1. Not vulnerable (but my trust is gone).
>
>Strangely enough, Kerio 4.x.x does NOT have the same problem. I'm using
>Kerio 4.1.2 right now with my Kerio 2 rule set without any problems,
>other than poor logging. I believe they re-wrote Kerio 4 from scratch
>so it does not have the fragmented packet processing problem that Kerio
>2 does. Or if it is based on Kerio 2, then they fixed the problem.
>I've tested it quite a bit.

I've still got 4.1.1 installed, not sure I'll keep it though.

>> With info from the above links and a little knowledge of Kerio it's
>> easy to locate and connect to Kerio 2.1.5 boxes.
>> What next? It's format and reinstall windows for me.
>>
>> HiS
>
>Kerio 2.1.5 (and earlier) is the only firewall I've found that has
>problems with fragmented packets, and I've tried MANY others and
>checked. I think you can probably trust most of the others, including
>Sygate, ZoneAlarm, VisNetic, Outpost, Jetico and so on..

I haven't used Sygate or Outpost for years, so I'll have a look at
them.

>Until I discovered that problem, Kerio 2.1.5 was my favorite firewall.
>I hated parting with it. I have not seen any harmful exploits of this
>vulnerability yet, and I doubt that most people would anyway, but it
>bothers me enough to discontinue it's use and switch to something more
>secure.

You wouldn't see them in Kerio because it's FUBAR, lets the packets
through and doesn't log them. Which is probably why they scrapped it
and started a new version. How much more harmful can you get?

HiS

Re: Kerio 2.1.5 vulnerability

In article , me@privacy.net
says...
> >The only reason why I noticed it is because the Messenger spammers are
> >using this exploit to get spam packets thru firewalls that don't handle
> >fragmented packets properly. They typically come in with a fragmented
> >packet to port 1026. In Kerio 2, you will see an outbound ICMP type 3
> >as a result of the inbound packet getting thru.
>
> Interesting. Do you have any Ethereal logs of these packets?
> I get a few UDP's to 1026 and used to see outbound ICMP type 3 using
> 2.1.5 but they all went to my DNS server as far as I can remember.

No, I don't have any Ethereal logs or anything like that. I noticed the
ICMP type 3 to my DNS servers too, but whenever a fragmented packet got
thru, I also saw an outbound type 3 to wherever it came from. That's
what alerted me to the problem in the first place... seeing the type 3
packets to addresses other than DNS servers.

>
> I have a rule to alert on inbound 1026 to remind me I am still online
> (dial-up). :-)

I also noticed the fragments when I ran Sygate for a while. They showed
up as "non-first fragments" in Sygate's logs. A packet along with
another one at the same instant in time to port 1026. Sygate blocked
both, but Kerio let's them thru. That's what's happening here at any
rate. I think it's possible that most people don't notice it because
nobody is exploiting it in their area.

> >
> >Strangely enough, Kerio 4.x.x does NOT have the same problem. I'm using
> >Kerio 4.1.2 right now with my Kerio 2 rule set without any problems,
> >other than poor logging. I believe they re-wrote Kerio 4 from scratch
> >so it does not have the fragmented packet processing problem that Kerio
> >2 does. Or if it is based on Kerio 2, then they fixed the problem.
> >I've tested it quite a bit.
>
> I've still got 4.1.1 installed, not sure I'll keep it though.

I'm experimenting with 4.1.2 right now. There are a lot of bugs left in
4.1.xx, but so far it's tolerable here..

> >Until I discovered that problem, Kerio 2.1.5 was my favorite firewall.
> >I hated parting with it. I have not seen any harmful exploits of this
> >vulnerability yet, and I doubt that most people would anyway, but it
> >bothers me enough to discontinue it's use and switch to something more
> >secure.

> You wouldn't see them in Kerio because it's FUBAR, lets the packets
> through and doesn't log them. Which is probably why they scrapped it
> and started a new version. How much more harmful can you get?

It's pretty bad, yes..

I don't know if you will be able to get anyone else to listen here, but
hopefully people will. Many people like Kerio 2.x a lot, and would hate
to hear something bad about it. You're likely to get mostly
resistance.. unfortunately. I guess people can continue to use it at
their own risk.. not I though..


--
Kerodo

Re: Kerio 2.1.5 vulnerability

In article , me@privacy.net
says...
> >The only reason why I noticed it is because the Messenger spammers are
> >using this exploit to get spam packets thru firewalls that don't handle
> >fragmented packets properly. They typically come in with a fragmented
> >packet to port 1026. In Kerio 2, you will see an outbound ICMP type 3
> >as a result of the inbound packet getting thru.
>
> Interesting. Do you have any Ethereal logs of these packets?
> I get a few UDP's to 1026 and used to see outbound ICMP type 3 using
> 2.1.5 but they all went to my DNS server as far as I can remember.
>
> I have a rule to alert on inbound 1026 to remind me I am still online
> (dial-up). :-)

Just another thought on the above. Since you're using dial-up, you may
not even see that ICMP type 3 outbound, or the spammers 1026 packets
inbound. I'm on cable here 24/7, so that's another story. That's
probably why I see it and others often don't..

At any rate, your tests are much more convincing than my ICMP type 3..

--
Kerodo

Re: Kerio 2.1.5 vulnerability

Fri, 5 Nov 2004 19:08:17 -0800, Kerodo wrote :
>

> I don't know if you will be able to get anyone else to listen here, but
> hopefully people will. Many people like Kerio 2.x a lot, and would hate
> to hear something bad about it. You're likely to get mostly
> resistance.. unfortunately. I guess people can continue to use it at
> their own risk.. not I though..

Thanks to both of you!
I didn't understand everything, but enough to be convinced. Kerio 2.x is
now deleted from my home computer.


--
JP Loken

Re: Kerio 2.1.5 vulnerability

On Fri, 5 Nov 2004 16:59:01 -0800, Kerodo
wrote:

|In article , me@privacy.net
|says...
|> So it seems any packet with the fragment bit set goes straight through
|> the firewall, and kerio only logs plain SYN packets.
|> This vulnerability is nearly 7 YEARS OLD, so there must be people
|> exploiting it by now. Nice one Kerio. How long have they known this?
|> Do they not try and enumerate their own firewall?
|> If they didn't know they are fools and I can no longer trust them.
|> If they did know and didn't withdraw Kerio I can no longer trust them.
|
|I am the one who originally wrote about the fragmented packet
|vulnerability. I noticed it here many months ago, and have never been
|able to get anyone else to listen or verify it. I will not use Kerio
|2.1.5 any more because of this problem. It's clear to me that Kerio
|2.1.5 does NOT handle fragmented packets properly, and that they DO get
|in thru the firewall.
|
|The only reason why I noticed it is because the Messenger spammers are
|using this exploit to get spam packets thru firewalls that don't handle
|fragmented packets properly. They typically come in with a fragmented
|packet to port 1026. In Kerio 2, you will see an outbound ICMP type 3
|as a result of the inbound packet getting thru.
|
|At any rate, what you are seeing there is true. I have verified it here
|many times.
|
|>
|> So what next I thought. ZoneAlarm of course. I got
|> zls-free-Setup51033000.exe and installed it. I had to clean kerio
|> from the registry by hand first as it didn't uninstall cleanly.
|> ZoneAlarm wasn't vulnerable (but I don't like it). Next I tried Kerio
|> 4.1.1. Not vulnerable (but my trust is gone).
|
|Strangely enough, Kerio 4.x.x does NOT have the same problem. I'm using
|Kerio 4.1.2 right now with my Kerio 2 rule set without any problems,
|other than poor logging. I believe they re-wrote Kerio 4 from scratch
|so it does not have the fragmented packet processing problem that Kerio
|2 does. Or if it is based on Kerio 2, then they fixed the problem.
|I've tested it quite a bit.
|
|> With info from the above links and a little knowledge of Kerio it's
|> easy to locate and connect to Kerio 2.1.5 boxes.
|> What next? It's format and reinstall windows for me.
|>
|> HiS
|
|Kerio 2.1.5 (and earlier) is the only firewall I've found that has
|problems with fragmented packets, and I've tried MANY others and
|checked. I think you can probably trust most of the others, including
|Sygate, ZoneAlarm, VisNetic, Outpost, Jetico and so on..
|
|Until I discovered that problem, Kerio 2.1.5 was my favorite firewall.
|I hated parting with it. I have not seen any harmful exploits of this
|vulnerability yet, and I doubt that most people would anyway, but it
|bothers me enough to discontinue it's use and switch to something more
|secure.

Sorry if this is a dumb question, but ...

If I have Kerio 2.1.5 running, but it has a problem letting fragmented
packets through, can I close that hole with a rule in the D-Link
DI-604 router firewall? The router is new and I don't understand yet
what rules I need to put into its firewall. There are quite a few
rules in Kerio which I had running before I got the router.

Re: Kerio 2.1.5 vulnerability

In article <10oqc82av1et089@corp.supernews.com>, mock@turtle.com says...
> On Fri, 5 Nov 2004 16:59:01 -0800, Kerodo
> wrote:
>
> |In article , me@privacy.net
> |says...
> |> So it seems any packet with the fragment bit set goes straight through
> |> the firewall, and kerio only logs plain SYN packets.
> |> This vulnerability is nearly 7 YEARS OLD, so there must be people
> |> exploiting it by now. Nice one Kerio. How long have they known this?
> |> Do they not try and enumerate their own firewall?
> |> If they didn't know they are fools and I can no longer trust them.
> |> If they did know and didn't withdraw Kerio I can no longer trust them.
> |
> |I am the one who originally wrote about the fragmented packet
> |vulnerability. I noticed it here many months ago, and have never been
> |able to get anyone else to listen or verify it. I will not use Kerio
> |2.1.5 any more because of this problem. It's clear to me that Kerio
> |2.1.5 does NOT handle fragmented packets properly, and that they DO get
> |in thru the firewall.
> |
> |The only reason why I noticed it is because the Messenger spammers are
> |using this exploit to get spam packets thru firewalls that don't handle
> |fragmented packets properly. They typically come in with a fragmented
> |packet to port 1026. In Kerio 2, you will see an outbound ICMP type 3
> |as a result of the inbound packet getting thru.
> |
> |At any rate, what you are seeing there is true. I have verified it here
> |many times.
> |
> |>
> |> So what next I thought. ZoneAlarm of course. I got
> |> zls-free-Setup51033000.exe and installed it. I had to clean kerio
> |> from the registry by hand first as it didn't uninstall cleanly.
> |> ZoneAlarm wasn't vulnerable (but I don't like it). Next I tried Kerio
> |> 4.1.1. Not vulnerable (but my trust is gone).
> |
> |Strangely enough, Kerio 4.x.x does NOT have the same problem. I'm using
> |Kerio 4.1.2 right now with my Kerio 2 rule set without any problems,
> |other than poor logging. I believe they re-wrote Kerio 4 from scratch
> |so it does not have the fragmented packet processing problem that Kerio
> |2 does. Or if it is based on Kerio 2, then they fixed the problem.
> |I've tested it quite a bit.
> |
> |> With info from the above links and a little knowledge of Kerio it's
> |> easy to locate and connect to Kerio 2.1.5 boxes.
> |> What next? It's format and reinstall windows for me.
> |>
> |> HiS
> |
> |Kerio 2.1.5 (and earlier) is the only firewall I've found that has
> |problems with fragmented packets, and I've tried MANY others and
> |checked. I think you can probably trust most of the others, including
> |Sygate, ZoneAlarm, VisNetic, Outpost, Jetico and so on..
> |
> |Until I discovered that problem, Kerio 2.1.5 was my favorite firewall.
> |I hated parting with it. I have not seen any harmful exploits of this
> |vulnerability yet, and I doubt that most people would anyway, but it
> |bothers me enough to discontinue it's use and switch to something more
> |secure.
>
> Sorry if this is a dumb question, but ...
>
> If I have Kerio 2.1.5 running, but it has a problem letting fragmented
> packets through, can I close that hole with a rule in the D-Link
> DI-604 router firewall? The router is new and I don't understand yet
> what rules I need to put into its firewall. There are quite a few
> rules in Kerio which I had running before I got the router.

I don't have a router myself, so I know very little about them, but I
would think that if you do have a router, then this fragmented packet
stuff would not be an issue. The router should block all unsolicited
inbound traffic by default (correct me someone if I'm wrong...). You
would be using Kerio mostly for outbound application control, which is
not one of it's strong points anyway. Any good firewall can do that,
including ZA and so on.

--
Kerodo

Re: Kerio 2.1.5 vulnerability

On Fri, 5 Nov 2004 19:08:17 -0800, Kerodo
wrote:
>
>No, I don't have any Ethereal logs or anything like that. I noticed the
>ICMP type 3 to my DNS servers too, but whenever a fragmented packet got
>thru, I also saw an outbound type 3 to wherever it came from. That's
>what alerted me to the problem in the first place... seeing the type 3
>packets to addresses other than DNS servers.

Do you know what code the type 3's had? Probably code 2 or 3 I would
think. Kerio only informs you of the type, not the code, which is a
pain.

>I also noticed the fragments when I ran Sygate for a while. They showed
>up as "non-first fragments" in Sygate's logs. A packet along with
>another one at the same instant in time to port 1026. Sygate blocked
>both, but Kerio let's them thru. That's what's happening here at any
>rate. I think it's possible that most people don't notice it because
>nobody is exploiting it in their area.
>

This is worth a read, it's quite short for an RFC:

Security Considerations for IP Fragment Filtering
http://rfc.net/rfc1858.html

"Fortunately, we do not need to remove all fragments of an offending
packet. Since "interesting" packet information is contained in the
headers at the beginning, filters are generally applied only to the
first fragment. Non-first fragments are passed without filtering,
because it will be impossible for the destination host to complete
reassembly of the packet if the first fragment is missing, and
therefore the entire packet will be discarded."

Non-first fragments can be sent with Hping2 with this option:
-g --fragoff set the fragment offset
Set it to 1.

I found another packet crafting tool called Frameip but I haven't
tried it out yet. www.frameip.com

His

Re: Kerio 2.1.5 vulnerability

On Sat, 06 Nov 2004 12:48:11 GMT, "JP Loken"
wrote:

>Fri, 5 Nov 2004 19:08:17 -0800, Kerodo wrote :
>>
>
>> I don't know if you will be able to get anyone else to listen here, but
>> hopefully people will. Many people like Kerio 2.x a lot, and would hate
>> to hear something bad about it. You're likely to get mostly
>> resistance.. unfortunately. I guess people can continue to use it at
>> their own risk.. not I though..
>
>Thanks to both of you!
>I didn't understand everything, but enough to be convinced. Kerio 2.x is
>now deleted from my home computer.

Well done mate. You're better of without it.

HiS

Re: Kerio 2.1.5 vulnerability

On Fri, 5 Nov 2004 19:11:18 -0800, Kerodo
wrote:

>In article , me@privacy.net
>says...
>> >The only reason why I noticed it is because the Messenger spammers are
>> >using this exploit to get spam packets thru firewalls that don't handle
>> >fragmented packets properly. They typically come in with a fragmented
>> >packet to port 1026. In Kerio 2, you will see an outbound ICMP type 3
>> >as a result of the inbound packet getting thru.
>>
>> Interesting. Do you have any Ethereal logs of these packets?
>> I get a few UDP's to 1026 and used to see outbound ICMP type 3 using
>> 2.1.5 but they all went to my DNS server as far as I can remember.
>>
>> I have a rule to alert on inbound 1026 to remind me I am still online
>> (dial-up). :-)
>
>Just another thought on the above. Since you're using dial-up, you may
>not even see that ICMP type 3 outbound, or the spammers 1026 packets
>inbound. I'm on cable here 24/7, so that's another story. That's
>probably why I see it and others often don't..
>
>At any rate, your tests are much more convincing than my ICMP type 3..

I remember seeing ICMP type 3 outbound and incoming UDP 1026 in the
logs. Ethereal confirmed the 1026's were Messenger spam. I didn't get
round to checking out the type 3's though.

On a lighter note my local exchange is ADSL enabled now, so as soon as
I find a suitable provider I'll subscribe. We got a gas connection and
ADSL in the same month. What more could a cold modem user want? :-)

HiS

Re: Kerio 2.1.5 vulnerability

In article , me@privacy.net
says...
> On Fri, 5 Nov 2004 19:08:17 -0800, Kerodo
> wrote:
> >
> >No, I don't have any Ethereal logs or anything like that. I noticed the
> >ICMP type 3 to my DNS servers too, but whenever a fragmented packet got
> >thru, I also saw an outbound type 3 to wherever it came from. That's
> >what alerted me to the problem in the first place... seeing the type 3
> >packets to addresses other than DNS servers.
>
> Do you know what code the type 3's had? Probably code 2 or 3 I would
> think. Kerio only informs you of the type, not the code, which is a
> pain.

No, unfortunately I don't.. Kerio doesn't offer that info. Others do,
for example Jetico and Outpost I believe does, but no such luck in
Kerio.

> >I also noticed the fragments when I ran Sygate for a while. They showed
> >up as "non-first fragments" in Sygate's logs. A packet along with
> >another one at the same instant in time to port 1026. Sygate blocked
> >both, but Kerio let's them thru. That's what's happening here at any
> >rate. I think it's possible that most people don't notice it because
> >nobody is exploiting it in their area.
> >
>
> This is worth a read, it's quite short for an RFC:
>
> Security Considerations for IP Fragment Filtering
> http://rfc.net/rfc1858.html
>
> "Fortunately, we do not need to remove all fragments of an offending
> packet. Since "interesting" packet information is contained in the
> headers at the beginning, filters are generally applied only to the
> first fragment. Non-first fragments are passed without filtering,
> because it will be impossible for the destination host to complete
> reassembly of the packet if the first fragment is missing, and
> therefore the entire packet will be discarded."
>
> Non-first fragments can be sent with Hping2 with this option:
> -g --fragoff set the fragment offset
> Set it to 1.
>
> I found another packet crafting tool called Frameip but I haven't
> tried it out yet. www.frameip.com

Very intersting. Someone in another forum has voiced the opinion that
this exploit could not really be used to establish a concurrent TCP
session (whatever that means?). So in his opinion, all this is not
really a serious problem. Whether or not this is true, I don't know,
but I don't feel comfortable with any firewall that allows packets thru,
harmful or not. It's a firewall's job to keep packets out.

I'm using VisNetic Firewall now. It's a straightfoward rules based
stateful inspection firewall. No outbound app control, but it should be
all I need assuming I practice safe computing.

--
Kerodo

Re: Kerio 2.1.5 vulnerability

Taking a moment's reflection, Mock Turtle mused:
|
| If I have Kerio 2.1.5 running, but it has a problem letting fragmented
| packets through, can I close that hole with a rule in the D-Link
| DI-604 router firewall? The router is new and I don't understand yet
| what rules I need to put into its firewall. There are quite a few
| rules in Kerio which I had running before I got the router.

No need for a special rule in your router ... unless the fragmented
packet is in response to something you've initiated (highly unlikely). The
unsolicited traffic will be automatically dropped by the router, and never
make it to Kerio.

The question I have about the vulnerability is: If we concede it
exists, what is the real security ramification? If it's simply that it
allows someone to get around the "stealth" feature, then I'm not overly
concerned about it. A closed port is as good as a stealthed port in terms
of security.

Re: Kerio 2.1.5 vulnerability

Taking a moment's reflection, Hassan I Sahba mused:
|
| The green (traffic allowed) arrow flashed.

I believe the green and red arrows on the Kerio icon in the System Tray
merely indicate inbound (green) and outbound (red) traffic. This is
somewhat of a standard as Kerio, ZA, and perhaps Sygate used this same
format. I do not believe they indicate "allowed" or "blocked" traffic.

Re: Kerio 2.1.5 vulnerability

On Sat, 6 Nov 2004 17:48:50 -0800, Kerodo
wrote:



>Very intersting. Someone in another forum has voiced the opinion that
>this exploit could not really be used to establish a concurrent TCP
>session (whatever that means?). So in his opinion, all this is not
>really a serious problem. Whether or not this is true, I don't know,
>but I don't feel comfortable with any firewall that allows packets thru,
>harmful or not. It's a firewall's job to keep packets out.

If Kerio returns a SYN ACK that's 2 thirds of the handshake completed,
but Hping2 doesn't send an ACK to complete the connection.
I installed OpenBSD on an old P133, but it couldn't find the network
card. When I get time to get it sorted I'll install fragrouter and
find out for sure.

>I'm using VisNetic Firewall now. It's a straightfoward rules based
>stateful inspection firewall. No outbound app control, but it should be
>all I need assuming I practice safe computing.

I like app control. My keyboard wants to connect out to port 80

HiS.

Re: Kerio 2.1.5 vulnerability

On Mon, 08 Nov 2004 19:49:17 GMT, "mhicaoidh"
<®êmõvé_mhic_aoidh@hotÑîXmailŠPäM.com> wrote:

>Taking a moment's reflection, Hassan I Sahba mused:
>|
>| The green (traffic allowed) arrow flashed.
>
> I believe the green and red arrows on the Kerio icon in the System Tray
>merely indicate inbound (green) and outbound (red) traffic. This is
>somewhat of a standard as Kerio, ZA, and perhaps Sygate used this same
>format. I do not believe they indicate "allowed" or "blocked" traffic.
>

You can check it with the ping command. If you allow all ICMP and ping
someone the green arrow flashes. If you deny all ICMP and ping someone
the red arrow flashes.
If it was green for inbound and red for outbound both arrows would
flash as you sent a request and received a reply.

Re: Kerio 2.1.5 vulnerability

In article <15Qjd.8423$V41.6854@attbi_s52>,=20
®êm=F5v=E9_mhic_aoidh@hotÑîXmail=A6PäM.com says...
> Taking a moment's reflection, Hassan I Sahba mused:
> |
> | The green (traffic allowed) arrow flashed.
>=20
> I believe the green and red arrows on the Kerio icon in the System Tr=
ay=20
> merely indicate inbound (green) and outbound (red) traffic. This is=20
> somewhat of a standard as Kerio, ZA, and perhaps Sygate used this same=20
> format. I do not believe they indicate "allowed" or "blocked" traffic.=
=20

I think that you might at minimum have it backwards.. When I used to=20
run Kerio and go to grc.com to run the tests, as they were running I=20
would see the red arrow flashing constantly, which means either blocked=20
traffic or inbound traffic. =20

--=20
Kerodo

Re: Kerio 2.1.5 vulnerability

Taking a moment's reflection, Hassan I Sahba mused:
|
| You can check it with the ping command. If you allow all ICMP and ping
| someone the green arrow flashes. If you deny all ICMP and ping someone
| the red arrow flashes.

Granted, turning off the tray animation was one of the first things I
did with my Kerio installs. I just assumed it was like Sygate and ZA in
that regard.

| If it was green for inbound and red for outbound both arrows would
| flash as you sent a request and received a reply.

Upon further review, it appears I was mistaken. ;-)

Re: Kerio 2.1.5 vulnerability

On Tue, 09 Nov 2004 02:43:38 GMT, "mhicaoidh"
<®êmõvé_mhic_aoidh@hotÑîXmailŠPäM.com> wrote:

>Taking a moment's reflection, Hassan I Sahba mused:
>|
>| You can check it with the ping command. If you allow all ICMP and ping
>| someone the green arrow flashes. If you deny all ICMP and ping someone
>| the red arrow flashes.
>
> Granted, turning off the tray animation was one of the first things I
>did with my Kerio installs. I just assumed it was like Sygate and ZA in
>that regard.
>
>| If it was green for inbound and red for outbound both arrows would
>| flash as you sent a request and received a reply.
>
> Upon further review, it appears I was mistaken. ;-)

Just to add to the confusion, the manual for Kerio Personal
Firewall 4.1 states (page 17 of file kpf41-en-v1.pdf):

"The Kerio Personal Firewall icon also represents network
activity of the computer on which the firewall is installed.
Network traffic is represented by little colored bars at the
bottom of the icon:

• green bar — outgoing traffic
• red bar — incoming traffic"

The same colour coding is used by the pop-up Connection
Alert windows (page2 28--29 of the manual).

(Incidentally, 4.1.2 is driving me mad. I liked 2.1.5. Wah!)

--
Angus Rodgers
(angus_prune@ eats spam; reply to angusrod@)
Contains mild peril

Re: Kerio 2.1.5 vulnerability

In article <7s55p097mgfgc4i1g4tsh2gm47ahsd9qmc@4ax.com>,=20
angusr@bigfoot.com says...
> On Tue, 09 Nov 2004 02:43:38 GMT, "mhicaoidh"
> <®êm=F5v=E9_mhic_aoidh@hotÑîXmail?PäM.com> wrote:
>=20
> >Taking a moment's reflection, Hassan I Sahba mused:
> >|
> >| You can check it with the ping command. If you allow all ICMP and ping
> >| someone the green arrow flashes. If you deny all ICMP and ping someone
> >| the red arrow flashes.
> >
> > Granted, turning off the tray animation was one of the first things =
I=20
> >did with my Kerio installs. I just assumed it was like Sygate and ZA in=
=20
> >that regard.
> >
> >| If it was green for inbound and red for outbound both arrows would
> >| flash as you sent a request and received a reply.
> >
> > Upon further review, it appears I was mistaken. ;-)
>=20
> Just to add to the confusion, the manual for Kerio Personal
> Firewall 4.1 states (page 17 of file kpf41-en-v1.pdf):
>=20
> "The Kerio Personal Firewall icon also represents network=20
> activity of the computer on which the firewall is installed.=20
> Network traffic is represented by little colored bars at the
> bottom of the icon:
>=20
> ? green bar ? outgoing traffic
> ? red bar ? incoming traffic"
>

It's possible that 4.xx is different than 2.xx.
=20
> (Incidentally, 4.1.2 is driving me mad. I liked 2.1.5. Wah!)

4.1.2 is a little weird compared to 2.1.5. The logging sucks in 4.1.2. =20
I'm using it now as a kind of ZoneAlarm, with no rules at all. It's not=20
too bad, except the duplicate logging is silly and annoying. Maybe=20
they'll fix that by 2006. :)
=20

--=20
Kerodo

Re: Kerio 2.1.5 vulnerability

In article ,
loopback@localhost.com says...
> In article <7s55p097mgfgc4i1g4tsh2gm47ahsd9qmc@4ax.com>,=20
> angusr@bigfoot.com says...
> > On Tue, 09 Nov 2004 02:43:38 GMT, "mhicaoidh"
> > <®êm=F5v=E9_mhic_aoidh@hotÑîXmail?PäM.com> wrote:
> >=20
> > >Taking a moment's reflection, Hassan I Sahba mused:
> > >|
> > >| You can check it with the ping command. If you allow all ICMP and ping
> > >| someone the green arrow flashes. If you deny all ICMP and ping someone
> > >| the red arrow flashes.
> > >
> > > Granted, turning off the tray animation was one of the first things =
> I=20
> > >did with my Kerio installs. I just assumed it was like Sygate and ZA in=
> =20
> > >that regard.
> > >
> > >| If it was green for inbound and red for outbound both arrows would
> > >| flash as you sent a request and received a reply.
> > >
> > > Upon further review, it appears I was mistaken. ;-)
> >=20
> > Just to add to the confusion, the manual for Kerio Personal
> > Firewall 4.1 states (page 17 of file kpf41-en-v1.pdf):
> >=20
> > "The Kerio Personal Firewall icon also represents network=20
> > activity of the computer on which the firewall is installed.=20
> > Network traffic is represented by little colored bars at the
> > bottom of the icon:
> >=20
> > ? green bar ? outgoing traffic
> > ? red bar ? incoming traffic"
> >
>
> It's possible that 4.xx is different than 2.xx.
> =20
> > (Incidentally, 4.1.2 is driving me mad. I liked 2.1.5. Wah!)
>
> 4.1.2 is a little weird compared to 2.1.5. The logging sucks in 4.1.2. =20
> I'm using it now as a kind of ZoneAlarm, with no rules at all. It's not=20
> too bad, except the duplicate logging is silly and annoying. Maybe=20
> they'll fix that by 2006. :)
> =20
>
> --=20
> Kerodo
>
Kerodo,
Interesting thread. Just to go back, which freeware firewall would you
recommend with respect ease of use? I began with ZoneAlarm and converted
to Kerio - now using 2.1.5
POKO
--
P. Keenan - Webmaster
Web Page Design
Manitoulin Island, Canada
http://manitoulinislandwebdesign.it-mate.co.uk/
pokokat@NOSPAMvianet.ca

Re: Kerio 2.1.5 vulnerability

In article ,
pokokat@NOSPAMvianet.ca says...
> In article ,
> loopback@localhost.com says...
> > In article <7s55p097mgfgc4i1g4tsh2gm47ahsd9qmc@4ax.com>,=20
> > angusr@bigfoot.com says...
> > > On Tue, 09 Nov 2004 02:43:38 GMT, "mhicaoidh"
> > > <®êm=F5v=E9_mhic_aoidh@hotÑîXmail?PäM.com> wrote:
> > >=20
> > > >Taking a moment's reflection, Hassan I Sahba mused:
> > > >|
> > > >| You can check it with the ping command. If you allow all ICMP and ping
> > > >| someone the green arrow flashes. If you deny all ICMP and ping someone
> > > >| the red arrow flashes.
> > > >
> > > > Granted, turning off the tray animation was one of the first things =
> > I=20
> > > >did with my Kerio installs. I just assumed it was like Sygate and ZA in=
> > =20
> > > >that regard.
> > > >
> > > >| If it was green for inbound and red for outbound both arrows would
> > > >| flash as you sent a request and received a reply.
> > > >
> > > > Upon further review, it appears I was mistaken. ;-)
> > >=20
> > > Just to add to the confusion, the manual for Kerio Personal
> > > Firewall 4.1 states (page 17 of file kpf41-en-v1.pdf):
> > >=20
> > > "The Kerio Personal Firewall icon also represents network=20
> > > activity of the computer on which the firewall is installed.=20
> > > Network traffic is represented by little colored bars at the
> > > bottom of the icon:
> > >=20
> > > ? green bar ? outgoing traffic
> > > ? red bar ? incoming traffic"
> > >
> >
> > It's possible that 4.xx is different than 2.xx.
> > =20
> > > (Incidentally, 4.1.2 is driving me mad. I liked 2.1.5. Wah!)
> >
> > 4.1.2 is a little weird compared to 2.1.5. The logging sucks in 4.1.2. =20
> > I'm using it now as a kind of ZoneAlarm, with no rules at all. It's not=20
> > too bad, except the duplicate logging is silly and annoying. Maybe=20
> > they'll fix that by 2006. :)
> > =20
> >
> > --=20
> > Kerodo
> >
> Kerodo,
> Interesting thread. Just to go back, which freeware firewall would you
> recommend with respect ease of use? I began with ZoneAlarm and converted
> to Kerio - now using 2.1.5

It doesn't get much easier than ZoneAlarm I would think. It's hard to
recommend any particular firewall. It's best to try them and decide for
yourself. Kerio 2.1.5 was one of my favorites, but it does have some
vulnerabilities, so I've chosen to use others. Outpost Pro is another
one I like. I also like VisNetic, but both those are not free.

--
Kerodo

Re: Kerio 2.1.5 vulnerability

On Sat, 6 Nov 2004 12:48:50 -0800, Kerodo
wrote:

>...
>I don't have a router myself, so I know very little about them, but I
>would think that if you do have a router, then this fragmented packet
>stuff would not be an issue. The router should block all unsolicited
>inbound traffic by default (correct me someone if I'm wrong...). You
>would be using Kerio mostly for outbound application control, which is
>not one of it's strong points anyway. Any good firewall can do that,
>including ZA and so on.

Glad to hear all this isn't too much of a problem if you have a
router.

2.1.5 works ok as an outgoing watchdog and a great monitor for
Newsplex connections.

Re: Kerio 2.1.5 vulnerability

On Tue, 09 Nov 2004 00:13:01 +0000, Hassan I Sahba
wrote:

>On Sat, 6 Nov 2004 17:48:50 -0800, Kerodo
>wrote:
>
>
>
>>Very intersting. Someone in another forum has voiced the opinion that
>>this exploit could not really be used to establish a concurrent TCP
>>session (whatever that means?). So in his opinion, all this is not
>>really a serious problem. Whether or not this is true, I don't know,
>>but I don't feel comfortable with any firewall that allows packets thru,
>>harmful or not. It's a firewall's job to keep packets out.
>
>If Kerio returns a SYN ACK that's 2 thirds of the handshake completed,
>but Hping2 doesn't send an ACK to complete the connection.
>I installed OpenBSD on an old P133, but it couldn't find the network
>card. When I get time to get it sorted I'll install fragrouter and
>find out for sure.


Just installed fragrouter on a third machine. To recap Kerio's
settings:
"Kerio was configured to Log Packets Addressed to Unopened Ports and
Log Suspicious Packets. Then I made a new rule to block ALL incoming
and outgoing TCP connections and moved it to the top of Kerio's rule
set. Then I made another rule to block ALL ICMP, and made it second
in the list. Both these rules were set to log and alert.
TYPSoft FTP Server Version 1.10 was used to open port 21."
Kerio's Microsoft Networking option was not used.
The Server and Workstation services are not running. No ports except
Kerio's 44334 and 21 are open.
All computers on the LAN are configured as stand alone machines, and
not trusted in any way.

Kerio accepted an ftp connection from a Linux console routed through a
fragrouter and let me log on to TYPSoft. (I knew the password of
course). TYPSoft logged this. CurrPorts confirmed that the connection
was established. When I tried to download a file TYPSoft crashed, so I
tried to upload a file but it crashed again.

Then I used netcat to open port 21 and spawn a shell on connection
(nc -L -p 21 -e cmd.exe). Kerio allowed me to connect with netcat but
showed an alert and logged the connection as blocked??? I was able to
access all the partitions, create and delete files, upload, download
and overwrite files, and run programs remotely.

This is how i see it for Kerio 2.1.5 users.
How would someone find Kerio 2.1.5 machines on the internet? They
could scan an IP address range, sending a fragmented SYN to port
44334, pipe the output to grep flags=SA, then redirect the output to
a text file. This file would contain a list of all the IP addresses in
that range that were running Kerio. Grim stuff!
Then maybe a protocol scan or straight to a port scan to identify any
services running. No services running? ICMP tunneling will get through
now and Hping2 can carry a payload.
Once running services are identified they can be connected to. They
might crash like TYPSoft ftp server or they might accept a connection
like netcat.
Am I safe behind a router? Spyware could check for persfw.exe and if
it finds it send out fragmented packets. Trojans could do the same.

Frankly I've gone right off Kerio at the moment. If they didn't know
about this vulnerability they should have. If they did they should of
announced it. Maybe they couldn't fix it til v4 came out and they
didn't want to withdraw 2.1.5? Who knows?

HiS

Re: Kerio 2.1.5 vulnerability

On Fri, 12 Nov 2004 23:46:13 +0000, Hassan I Sahba
wrote:



I just tried netcat on tiny firewall with the same results.

HiS

Re: Kerio 2.1.5 vulnerability

På Sun, 14 Nov 2004 01:33:40 +0000, skrev Hassan I Sahba :

> On Fri, 12 Nov 2004 23:46:13 +0000, Hassan I Sahba
> wrote:
>
>
>
> I just tried netcat on tiny firewall with the same results.
>
> HiS

Thank you for sharing your extensive work on this.


--
JP Loken