Huge security hole in Kerio 2.1.5

I've just been told that Kerio 2.1.5, which was considered to be the
(or one of the) best choice, doesn't "see" (and doesn't intercept...)
fragmented packets, and thus wouldn't be efficient toward an attack
based on fragmented packets (see below)

In these conditions, which FW can be suggested, which would be
simultaneously
- free
- parameterizable
- controlling both IN and OUT (thus, not Win WP FW...)
- efficient (thus, not kerio 2.1.5...)

Thanks for advice

About Kerio issue, this is the very simple test I've been suggested to
do... and whose result is a little bit frightening :
- Create a Kerio rule denying all Input ICMP (anwsers to ping request),
and put this rule in 1st position
- ping whoever_you_want : no answer. OK.
- ping -l 5000 whoever_you_want : damned, you get answer ! (-l
parameter, setting a packet size above MTU obliged ping to fragment)

Even more serious : don't even add any rule, but with systray icon,
have the choice "Stop traffic" (or something like that, my own Kerio is
in french, and I don't know the exact label in english)
Even in this case, "simple" ping doesn't work, but "fragmented" ping
does...

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

Laurent wrote in
news:mn.2c427d530aaf6707.2067@Voila.fr:

> I've just been told that Kerio 2.1.5, which was considered to be the
> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
> fragmented packets, and thus wouldn't be efficient toward an attack
> based on fragmented packets (see below)
>
> In these conditions, which FW can be suggested, which would be
> simultaneously
> - free
> - parameterizable
> - controlling both IN and OUT (thus, not Win WP FW...)
> - efficient (thus, not kerio 2.1.5...)
>
> Thanks for advice

I'll assume WIN WP FW means Win XP FW.

You can *supplement* Kerio with IPsec.

http://tinyurl.com/48k3m

IPsec can stop inbound and outbound traffic by port, protocol or IP to
*supplement* Kerio.

http://www.analogx.com/contents/articles/ipsec.htm

With the AnalogX IPsec rules implmented, IPsec can be used to *supplement*
Kerio.

Duane :)

Re: Huge security hole in Kerio 2.1.5

Laurent wrote:
> I've just been told that Kerio 2.1.5, which was considered to be the
> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
> fragmented packets, and thus wouldn't be efficient toward an attack
> based on fragmented packets (see below)

All "software firewalls" for home users are toys, that is all there is to
it. All of them are (marginally) better than nothing, and all have their
good and bad points.

If you switched from Kerio to (for example) Zone Alarm on Sunday, there is
no guarantee that someone wouldn't find a far worse hole in Zone Alarm on
Monday. Rather than flapping about wanting to switch straight away, you
could see how responsive the people behind Kerio are to this problem and
make your choice based on that.

--
--
Rob Moir
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
Kazaa - Software update services for your Viruses and Spyware.

Re: Huge security hole in Kerio 2.1.5

On Sat, 05 Mar 2005 18:10:26 +0100, Laurent wrote:

> I've just been told that Kerio 2.1.5, which was considered to be the
> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
> fragmented packets, and thus wouldn't be efficient toward an attack
> based on fragmented packets (see below)
>
> In these conditions, which FW can be suggested, which would be
> simultaneously
> - free
> - parameterizable
> - controlling both IN and OUT (thus, not Win WP FW...)
> - efficient (thus, not kerio 2.1.5...)
>
> Thanks for advice

You might try Kerio 4.x, which doesn't suffer from the fragmented packet
problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
it's own problems.. I don't know of any software firewall that doesn't
though... :)


--
Kerodo

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Laurent wrote in
news:mn.2c427d530aaf6707.2067@Voila.fr:

> I've just been told that Kerio 2.1.5, which was considered to be the
> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
> fragmented packets, and thus wouldn't be efficient toward an attack
> based on fragmented packets (see below)
>
> In these conditions, which FW can be suggested, which would be
> simultaneously
> - free
> - parameterizable
> - controlling both IN and OUT (thus, not Win WP FW...)
> - efficient (thus, not kerio 2.1.5...)
>
> Thanks for advice
>
> About Kerio issue, this is the very simple test I've been suggested to
> do... and whose result is a little bit frightening :
> - Create a Kerio rule denying all Input ICMP (anwsers to ping request),
> and put this rule in 1st position
> - ping whoever_you_want : no answer. OK.
> - ping -l 5000 whoever_you_want : damned, you get answer ! (-l
> parameter, setting a packet size above MTU obliged ping to fragment)
>
> Even more serious : don't even add any rule, but with systray icon,
> have the choice "Stop traffic" (or something like that, my own Kerio is
> in french, and I don't know the exact label in english)
> Even in this case, "simple" ping doesn't work, but "fragmented" ping
> does...
>

I would hardly call this a "huge" issue. 2 members of this group tried to
exploit it, and could not, even working together. The only time I know of
that it has been exploited successfully was under lab conditions.

Re: Huge security hole in Kerio 2.1.5

Bart Bailey a écrit le 06/03/2005 :
> Also do you know where I might be able to test my config for this
> fragpacket vulnerability? some probe site maybe?

You can run the test I describe in the first post of this thread.

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

On Sat, 05 Mar 2005 22:33:28 -0800, Bart Bailey wrote:

> In Message-ID:<1kq5lb1cf8y2u.13llr6r6rtjvs.dlg@40tude.net> posted on
> Sat, 5 Mar 2005 21:12:12 -0800, Kerodo wrote: Begin
>
>>You might try Kerio 4.x, which doesn't suffer from the fragmented packet
>>problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
>>it's own problems.. I don't know of any software firewall that doesn't
>>though... :)
>
> Your tone suggests that you know of some problems with EZ Firewall
> better known as the repackaged ZA from Computer Associates.
> Also do you know where I might be able to test my config for this
> fragpacket vulnerability? some probe site maybe?

Sorry, I don't know of any site that can test for it. It's not a config
issue, but a Kerio problem. A site could send you fragmented packets, but
how would it ever know if they went thru your firewall or not? Kerio would
block any response as it should, so as far as a remote site knows,
everything is fine.

It's unlikely that anyone would be able to take advantage of the
vulnerability in any meaningful way. I honestly wouldn't worry about it
much..

--
Kerodo

Re: Huge security hole in Kerio 2.1.5

On Sat, 05 Mar 2005 18:10:26 +0100, Laurent
wrote:

>I've just been told that Kerio 2.1.5, which was considered to be the
>(or one of the) best choice, doesn't "see" (and doesn't intercept...)
>fragmented packets, and thus wouldn't be efficient toward an attack
>based on fragmented packets (see below)
>
>In these conditions, which FW can be suggested, which would be
>simultaneously
>- free
>- parameterizable
>- controlling both IN and OUT (thus, not Win WP FW...)
>- efficient (thus, not kerio 2.1.5...)
>
>Thanks for advice
>
>About Kerio issue, this is the very simple test I've been suggested to
>do... and whose result is a little bit frightening :
>- Create a Kerio rule denying all Input ICMP (anwsers to ping request),
>and put this rule in 1st position
>- ping whoever_you_want : no answer. OK.
>- ping -l 5000 whoever_you_want : damned, you get answer ! (-l
>parameter, setting a packet size above MTU obliged ping to fragment)
>
>Even more serious : don't even add any rule, but with systray icon,
>have the choice "Stop traffic" (or something like that, my own Kerio is
>in french, and I don't know the exact label in english)
>Even in this case, "simple" ping doesn't work, but "fragmented" ping
>does...

Many Kerio users don't seem to care.
Kerio doesn't care.
Use something else seems the best advise.

HiS

Re: Huge security hole in Kerio 2.1.5

On Sat, 5 Mar 2005 23:18:47 -0000, "Robert Moir"
wrote:

>Laurent wrote:
>> I've just been told that Kerio 2.1.5, which was considered to be the
>> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
>> fragmented packets, and thus wouldn't be efficient toward an attack
>> based on fragmented packets (see below)
>
>All "software firewalls" for home users are toys, that is all there is to
>it. All of them are (marginally) better than nothing, and all have their
>good and bad points.
>
>If you switched from Kerio to (for example) Zone Alarm on Sunday, there is
>no guarantee that someone wouldn't find a far worse hole in Zone Alarm on
>Monday. Rather than flapping about wanting to switch straight away,

When you see packets go through a firewall you put your trust in, a
bit of flapping about is allowed :)

>you could see how responsive the people behind Kerio are to this problem and
>make your choice based on that.
>
>--

They don't seem to care :(

HiS

Re: Huge security hole in Kerio 2.1.5

On Sat, 05 Mar 2005 22:33:28 -0800, Bart Bailey
wrote:

>In Message-ID:<1kq5lb1cf8y2u.13llr6r6rtjvs.dlg@40tude.net> posted on
>Sat, 5 Mar 2005 21:12:12 -0800, Kerodo wrote: Begin
>
>>You might try Kerio 4.x, which doesn't suffer from the fragmented packet
>>problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
>>it's own problems.. I don't know of any software firewall that doesn't
>>though... :)
>
>Your tone suggests that you know of some problems with EZ Firewall
>better known as the repackaged ZA from Computer Associates.
>Also do you know where I might be able to test my config for this
>fragpacket vulnerability? some probe site maybe?

I checked ZA (can't remember which version) and it wasn't vulnerable.

HiS

Re: Huge security hole in Kerio 2.1.5

On Sun, 6 Mar 2005 04:05:53 -0800, Kerodo
wrote:

>On Sat, 05 Mar 2005 22:33:28 -0800, Bart Bailey wrote:
>
>> In Message-ID:<1kq5lb1cf8y2u.13llr6r6rtjvs.dlg@40tude.net> posted on
>> Sat, 5 Mar 2005 21:12:12 -0800, Kerodo wrote: Begin
>>
>>>You might try Kerio 4.x, which doesn't suffer from the fragmented packet
>>>problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
>>>it's own problems.. I don't know of any software firewall that doesn't
>>>though... :)
>>
>> Your tone suggests that you know of some problems with EZ Firewall
>> better known as the repackaged ZA from Computer Associates.
>> Also do you know where I might be able to test my config for this
>> fragpacket vulnerability? some probe site maybe?
>
>Sorry, I don't know of any site that can test for it. It's not a config
>issue, but a Kerio problem. A site could send you fragmented packets, but
>how would it ever know if they went thru your firewall or not? Kerio would
>block any response as it should, so as far as a remote site knows,
>everything is fine.
>
>It's unlikely that anyone would be able to take advantage of the
>vulnerability in any meaningful way. I honestly wouldn't worry about it
>much..

Hello Kerodo,
I thought you were one of the people that understood the problem.
Kerio is used to block access to services on a computer. If an
attacker routes his packets through fragrouter the attacker has access
to those services. Its that simple.

HiS

Re: Huge security hole in Kerio 2.1.5

On 6 Mar 2005 06:59:07 GMT, elaich wrote:


>
>I would hardly call this a "huge" issue. 2 members of this group tried to
>exploit it, and could not, even working together. The only time I know of
>that it has been exploited successfully was under lab conditions.

Someone offered their computer as a target and I declined the offer.

HiS

Re: Huge security hole in Kerio 2.1.5

Hassan I Sahba a écrit le 06/03/2005 :
> When you see packets go through a firewall you put your trust in, a
> bit of flapping about is allowed :)

Yes, it's exactly my feeling...

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

Hassan I Sahba a écrit le 06/03/2005 :
> Many Kerio users don't seem to care.
> Kerio doesn't care.
> Use something else seems the best advise.

Yes, but *what* else was my question...

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

Kerodo a écrit le 06/03/2005 :
> It's unlikely that anyone would be able to take advantage of the
> vulnerability in any meaningful way. I honestly wouldn't worry about it
> much..

I would like to be so confident than you...

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Hassan I Sahba wrote in
news:j4vl215952bbilic5rvkg20fufhspsaqll@4ax.com:

> On Sat, 5 Mar 2005 23:18:47 -0000, "Robert Moir"
> wrote:
>
>>Laurent wrote:
>>> I've just been told that Kerio 2.1.5, which was considered to be the
>>> (or one of the) best choice, doesn't "see" (and doesn't
>>> intercept...) fragmented packets, and thus wouldn't be efficient
>>> toward an attack based on fragmented packets (see below)
>>
>>All "software firewalls" for home users are toys, that is all there is
>>to it. All of them are (marginally) better than nothing, and all have
>>their good and bad points.
>>
>>If you switched from Kerio to (for example) Zone Alarm on Sunday,
>>there is no guarantee that someone wouldn't find a far worse hole in
>>Zone Alarm on Monday. Rather than flapping about wanting to switch
>>straight away,
>
> When you see packets go through a firewall you put your trust in, a
> bit of flapping about is allowed :)
>
>>you could see how responsive the people behind Kerio are to this
>>problem and make your choice based on that.
>>
>>--
>
> They don't seem to care :(
>

Why should the vendor care about outdated software they no longer support?

Duane :)

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

On Sun, 06 Mar 2005 16:01:39 +0100, Laurent
wrote:

>Hassan I Sahba a écrit le 06/03/2005 :
>> Many Kerio users don't seem to care.
>> Kerio doesn't care.
>> Use something else seems the best advise.
>
>Yes, but *what* else was my question...

Firstly, I'd say a router. Then something like Astaro, Smoothwall or
Monowall. If that's too much bother then whatever PF you prefer.

HiS

Re: Huge security hole in Kerio 2.1.5

On Sun, 06 Mar 2005 18:50:15 GMT, Duane Arnold
wrote:

>Hassan I Sahba wrote in
>news:j4vl215952bbilic5rvkg20fufhspsaqll@4ax.com:
>
>> On Sat, 5 Mar 2005 23:18:47 -0000, "Robert Moir"
>> wrote:
>>
>>>Laurent wrote:
>>>> I've just been told that Kerio 2.1.5, which was considered to be the
>>>> (or one of the) best choice, doesn't "see" (and doesn't
>>>> intercept...) fragmented packets, and thus wouldn't be efficient
>>>> toward an attack based on fragmented packets (see below)
>>>
>>>All "software firewalls" for home users are toys, that is all there is
>>>to it. All of them are (marginally) better than nothing, and all have
>>>their good and bad points.
>>>
>>>If you switched from Kerio to (for example) Zone Alarm on Sunday,
>>>there is no guarantee that someone wouldn't find a far worse hole in
>>>Zone Alarm on Monday. Rather than flapping about wanting to switch
>>>straight away,
>>
>> When you see packets go through a firewall you put your trust in, a
>> bit of flapping about is allowed :)
>>
>>>you could see how responsive the people behind Kerio are to this
>>>problem and make your choice based on that.
>>>
>>>--
>>
>> They don't seem to care :(
>>
>
>Why should the vendor care about outdated software they no longer support?
>
>Duane :)

I'd have thought that was obvious Duane. They have/had a security
reputation to think about.

HiS

Re: Huge security hole in Kerio 2.1.5

Hassan I Sahba wrote in
news:4iqm215aknr8gne3tjp1ebdi3ecsdhd52i@4ax.com:

> On Sun, 06 Mar 2005 18:50:15 GMT, Duane Arnold
> wrote:
>
>>Hassan I Sahba wrote in
>>news:j4vl215952bbilic5rvkg20fufhspsaqll@4ax.com:
>>
>>> On Sat, 5 Mar 2005 23:18:47 -0000, "Robert Moir"
>>> wrote:
>>>
>>>>Laurent wrote:
>>>>> I've just been told that Kerio 2.1.5, which was considered to be
>>>>> the (or one of the) best choice, doesn't "see" (and doesn't
>>>>> intercept...) fragmented packets, and thus wouldn't be efficient
>>>>> toward an attack based on fragmented packets (see below)
>>>>
>>>>All "software firewalls" for home users are toys, that is all there
>>>>is to it. All of them are (marginally) better than nothing, and all
>>>>have their good and bad points.
>>>>
>>>>If you switched from Kerio to (for example) Zone Alarm on Sunday,
>>>>there is no guarantee that someone wouldn't find a far worse hole in
>>>>Zone Alarm on Monday. Rather than flapping about wanting to switch
>>>>straight away,
>>>
>>> When you see packets go through a firewall you put your trust in, a
>>> bit of flapping about is allowed :)
>>>
>>>>you could see how responsive the people behind Kerio are to this
>>>>problem and make your choice based on that.
>>>>
>>>>--
>>>
>>> They don't seem to care :(
>>>
>>
>>Why should the vendor care about outdated software they no longer
>>support?
>>
>>Duane :)
>
> I'd have thought that was obvious Duane. They have/had a security
> reputation to think about.
>
> HiS
>

And what did the vendor tell you about what they were going to do about
the situation? I think they indicated that the product was not being
supported and they were NOT going to do anything about it. The vendor
doesn't care about it. And I don't think it's going to hurt their
reputation about a product they no longer support one bit. In other
words, it's a *moot* point. The vendor has moved on to a new product they
are now supporting and Kerio 2.15 is *dead* as far as the vendor is
concerned.

Duane :)

Re: Huge security hole in Kerio 2.1.5

Bart Bailey a écrit le 06/03/2005 :
> In Message-ID: posted on Sun, 06 Mar
> 2005 11:16:31 +0100, Laurent wrote: Begin
>
>> Bart Bailey a écrit le 06/03/2005 :
>>> Also do you know where I might be able to test my config for this
>>> fragpacket vulnerability? some probe site maybe?
>>
>> You can run the test I describe in the first post of this thread.
>
> Seems to have disappeared from my spool, but I think it involved me
> having to do some deliberate crippling action to my config in order to
> create a non-standard config. If that's the case, I have no worries,
> thanks.

Here is the very simple test :

About Kerio issue, this is the very simple test I've been suggested to
do... and whose result is a little bit frightening :
- Create a Kerio rule denying all Input ICMP (anwsers to ping request),
and put this rule in 1st position
- ping whoever_you_want : no answer. OK.
- ping -l 5000 whoever_you_want : damned, you get answer ! (-l
parameter, setting a packet size above MTU obliged ping to fragment)

Even more serious : don't even add any rule, but with systray icon,
have the choice "Stop traffic" (or something like that, my own Kerio is
in french, and I don't know the exact label in english)
Even in this case, "simple" ping doesn't work, but "fragmented" ping
does...

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

On Sun, 06 Mar 2005 21:34:06 GMT, Duane Arnold
wrote:


>And what did the vendor tell you about what they were going to do about
>the situation? I think they indicated that the product was not being
>supported and they were NOT going to do anything about it. The vendor
>doesn't care about it.

Exactly. Why can't they tell people to stop using it. Because that
would mean admitting it was vulnerable for years? People are
forgetting this is a 6 year old vulnerability. It wasn't fixed, fair
enough, it was free. It wasn't announced, not good enough.

> And I don't think it's going to hurt their reputation about a product they no
>longer support one bit.

Too late.

> In other words, it's a *moot* point. The vendor has moved on to a new
>product they >are now supporting and Kerio 2.15 is *dead* as far as the
> vendor is concerned.
>
>Duane :)

HiS

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Just for records, does Kerio let fragmented TCP packets pass as well as
fragmented ICMP?

"Hassan I Sahba" wrote in message
news:gp2n21d89khehfdtloiq94cmrrt2580343@4ax.com...
> On Sun, 06 Mar 2005 21:34:06 GMT, Duane Arnold
> wrote:
>
>
> >And what did the vendor tell you about what they were going to do about
> >the situation? I think they indicated that the product was not being
> >supported and they were NOT going to do anything about it. The vendor
> >doesn't care about it.
>
> Exactly. Why can't they tell people to stop using it. Because that
> would mean admitting it was vulnerable for years? People are
> forgetting this is a 6 year old vulnerability. It wasn't fixed, fair
> enough, it was free. It wasn't announced, not good enough.
>
> > And I don't think it's going to hurt their reputation about a product
they no
> >longer support one bit.
>
> Too late.
>
> > In other words, it's a *moot* point. The vendor has moved on to a new
> >product they >are now supporting and Kerio 2.15 is *dead* as far as the
> > vendor is concerned.
> >
> >Duane :)
>
> HiS

Re: Huge security hole in Kerio 2.1.5

On Sun, 06 Mar 2005 13:01:52 +0000, Hassan I Sahba wrote:

> On Sun, 6 Mar 2005 04:05:53 -0800, Kerodo
> wrote:
>
>>On Sat, 05 Mar 2005 22:33:28 -0800, Bart Bailey wrote:
>>
>>> In Message-ID:<1kq5lb1cf8y2u.13llr6r6rtjvs.dlg@40tude.net> posted on
>>> Sat, 5 Mar 2005 21:12:12 -0800, Kerodo wrote: Begin
>>>
>>>>You might try Kerio 4.x, which doesn't suffer from the fragmented packet
>>>>problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
>>>>it's own problems.. I don't know of any software firewall that doesn't
>>>>though... :)
>>>
>>> Your tone suggests that you know of some problems with EZ Firewall
>>> better known as the repackaged ZA from Computer Associates.
>>> Also do you know where I might be able to test my config for this
>>> fragpacket vulnerability? some probe site maybe?
>>
>>Sorry, I don't know of any site that can test for it. It's not a config
>>issue, but a Kerio problem. A site could send you fragmented packets, but
>>how would it ever know if they went thru your firewall or not? Kerio would
>>block any response as it should, so as far as a remote site knows,
>>everything is fine.
>>
>>It's unlikely that anyone would be able to take advantage of the
>>vulnerability in any meaningful way. I honestly wouldn't worry about it
>>much..
>
> Hello Kerodo,
> I thought you were one of the people that understood the problem.
> Kerio is used to block access to services on a computer. If an
> attacker routes his packets through fragrouter the attacker has access
> to those services. Its that simple.

I talked about it on several forums and after a lot of consideration most
folks came to the conclusion (and convinced me also) that it's harmless.
What possible harm can come if my machine allows a few packets in? There's
no response outbound because Kerio blocks it effectively, so there can be
no concurrent connection of any kind. Even if I got a fragmented packet to
a listening port, and it got thru, what would that program do with it?
Probably nothing.. And to top it off, someone would have to know you're
running Kerio and specifically target your machine with fragmented packets
and how likely is that to happen to the ordinary Joe out there? What's
somebody gonna do, bombard me with a million fragmented packets?

Psychologically, it's irritating that Kerio has that problem, but
realistically, it's probably meaningless.

--
Kerodo

Re: Huge security hole in Kerio 2.1.5

> no concurrent connection of any kind. Even if I got a fragmented packet to
> a listening port, and it got thru, what would that program do with it?
> Probably nothing.. And to top it off, someone would have to know you're

You are aware that many worms did exploit network vulnerablities in
windows services? Some services were taken over just by a single simple
UDP packet exploiting a buffer overflow. These vulnerablities have been
patched by Microsoft but you don't know what is still to come. I would
say if a firewall can be tricked just by fragmenting packets (which the
sender can easily do) what is this firewall worth?

Gerald

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

On Mon, 07 Mar 2005 18:10:51 +0900, Gerald Vogt wrote:

>> no concurrent connection of any kind. Even if I got a fragmented packet to
>> a listening port, and it got thru, what would that program do with it?
>> Probably nothing.. And to top it off, someone would have to know you're
>
> You are aware that many worms did exploit network vulnerablities in
> windows services? Some services were taken over just by a single simple
> UDP packet exploiting a buffer overflow. These vulnerablities have been
> patched by Microsoft but you don't know what is still to come. I would
> say if a firewall can be tricked just by fragmenting packets (which the
> sender can easily do) what is this firewall worth?
>
> Gerald

I didn't know that a single UDP packet could do anything.. IF that's the
case then yes, I guess it might be a problem.

My solution was to just not run Kerio 2 anymore. I've moved on to better
things..

Thanks for the info though. That's interesting..

--
Kerodo

Re: Huge security hole in Kerio 2.1.5

S. Pidgorny a écrit le 07/03/2005 :
> Just for records, does Kerio let fragmented TCP packets pass as well as
> fragmented ICMP?

I'm not able to run such a test by my own.
According to what I've read on this forum, the answer is YES.
It is suggested to use fragroute to do the test, but unfortunately, my
skills aren't enough to do such a test.

But actually, you're right. Your question is the most important !

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

On Mon, 07 Mar 2005 18:10:51 +0900, Gerald Vogt wrote:

>> no concurrent connection of any kind. Even if I got a fragmented packet to
>> a listening port, and it got thru, what would that program do with it?
>> Probably nothing.. And to top it off, someone would have to know you're
>
> You are aware that many worms did exploit network vulnerablities in
> windows services? Some services were taken over just by a single simple
> UDP packet exploiting a buffer overflow. These vulnerablities have been
> patched by Microsoft but you don't know what is still to come. I would
> say if a firewall can be tricked just by fragmenting packets (which the
> sender can easily do) what is this firewall worth?
>
> Gerald

Gerald, just for the sake of argument, what are the odds of this actually
happening though? They wouldn't be able to scan your ports to see what's
open, and they'd have to specifically target your machine for some reason,
out of all the machines out there. Why would anyone send a UDP packet to
my machine, especially if they couldn't see the result of their evil
doings?

--
Kerodo

Re: Huge security hole in Kerio 2.1.5

Bart Bailey a écrit le 07/03/2005 :
> OK, thanks for re-posting, it looks like a fault that's Kerio coding
> specific, and not a general vulnerability to the way Kerio or perhaps
> other firewalls handle fragmented packet arrival.

I'm not talking about FW in a general way.
But, for Kerio 2.1.5, it seems to be a big vulnerability !

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

Kerodo a écrit le 07/03/2005 :
> My solution was to just not run Kerio 2 anymore. I've moved on to better
> things..

Which one, please ?

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Jim Higgins a écrit le 07/03/2005 :
> On Sun, 06 Mar 2005 16:01:39 +0100, in
> , Laurent
> wrote:
>
>> Hassan I Sahba a écrit le 06/03/2005 :
>>> Many Kerio users don't seem to care.
>>> Kerio doesn't care.
>>> Use something else seems the best advise.
>>
>> Yes, but *what* else was my question...
>
> Well... you wanted a fixed version from Kerio so go use that. I
> think it's called Version 4. ;-)

When I've asked (on this forum and some others) which was the best
choice between Kerio 2.1 and Kerio 4.x, the *unanimous* answer was :
Kerio 2 is far better than Kerio 4.
So I stayed on Kerio 2. Maybe an error...

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

Leythos a écrit le 07/03/2005 :
> And now you know the drawback in using outdated software, especially
> outdated security software.

I'm afraid you're right ! And yet, it's quite annoying to have to
change...
But if we must, maybe we will...

--
Laurent GRENET

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

On Mon, 7 Mar 2005 18:22:14 +1100, "S. Pidgorny "
wrote:

>Just for records, does Kerio let fragmented TCP packets pass as well as
>fragmented ICMP?
>

It works with ICMP, TCP and UDP so I assume it will work with any type
of packet. I also established a netcat session and uploaded and
downloaded files and did some admin tasks, not that anyone would be
likely to be running netcat. But whatever services a user is running
will be exposed.

HiS.

Re: Huge security hole in Kerio 2.1.5

On Sun, 06 Mar 2005 17:20:32 -0800, Bart Bailey
wrote:

>
>Looks like the message regarding customer concern is:
>If we find any glitches in our current product, we'll just move on to
>something else and leave you dead in the water, no patches, no
>retro-fixes, nothing but a sales pitch to upgrade.

Kerio users at least deserved an official announcement.

HiS

Re: Huge security hole in Kerio 2.1.5

On Sun, 06 Mar 2005 17:20:19 -0800, Bart Bailey
wrote:

>
>OK, thanks for re-posting, it looks like a fault that's Kerio coding
>specific, and not a general vulnerability to the way Kerio or perhaps
>other firewalls handle fragmented packet arrival.

Here's an early description:
http://linuxtoday.com/news_story.php3?ltsn=1999-08-02-021-10 -SC

It looks complicated but fragrouter makes it a doddle.

HiS

Re: Huge security hole in Kerio 2.1.5

On Mon, 7 Mar 2005 00:11:42 -0800, Kerodo
wrote:

>On Sun, 06 Mar 2005 13:01:52 +0000, Hassan I Sahba wrote:
>

>>
>> Hello Kerodo,
>> I thought you were one of the people that understood the problem.
>> Kerio is used to block access to services on a computer. If an
>> attacker routes his packets through fragrouter the attacker has access
>> to those services. Its that simple.
>
>I talked about it on several forums and after a lot of consideration most
>folks came to the conclusion (and convinced me also) that it's harmless.

I disagree.

>What possible harm can come if my machine allows a few packets in?

Then why have a firewall? If a computer has ports open, a firewall
should restrict access to those ports. It only takes one fragmented
packet to start the process. If a fragmented SYN comes in, a SYN/ACK
will go out and a fragmented ACK comes back. If no other layers are in
place, like password protection, the connection is established. Kerio
logs the connection as blocked. Kerio now allows all traffic on this
connection. The question is, have Tiny/Kerio users closed 135-139 and
445, or are they relying on Tiny/Kerio to protect them?

> There's no response outbound because Kerio blocks it effectively, so
>there can be no concurrent connection of any kind.

Kerio "statefully" remembers the allowed connection.

>Even if I got a fragmented packet to
>a listening port, and it got thru, what would that program do with it?

It depends what service is listening. What are people trying to
protect with Tiny/Kerio.

>Probably nothing.. And to top it off, someone would have to know you're
>running Kerio and specifically target your machine with fragmented packets
>and how likely is that to happen to the ordinary Joe out there? What's
>somebody gonna do, bombard me with a million fragmented packets?

Kerio listens on port 44334 and can't stop fragmented packets
detecting this. Given time hping could scan the entire public address
range and find out how Tiny/Kerio users are online :)

HiS

>Psychologically, it's irritating that Kerio has that problem, but
>realistically, it's probably meaningless.

Re: Huge security hole in Kerio 2.1.5

Leythos wrote:
> I would like to say you are right, but you've got to realize that
EVERY
> security product on the market is designed for the NOW threats and
will
> have updates for a certain period of time after it's released. When a
new
> version is released (not just an update), they will support one rev
> earlier, but that's about all in most cases.
>

This might be off-topic but even with the latest and greatest firewall
software updates, could old applications cancel this out? I'm thinking
about browsers in specific. On one older pc I still use Netscape 4.72
to browse (with no Java and no Javascript). Could using the old
browser cancel out the firewall/av software? Even thought about
loading old 4.72 on this computer because if feels so much snappier on
the old pc than Firefox on this one.

Re: Huge security hole in Kerio 2.1.5

Kerodo wrote:
> I didn't know that a single UDP packet could do anything.. IF that's the
> case then yes, I guess it might be a problem.

Do you know Slammer for instance?

Gerald

Re: Huge security hole in Kerio 2.1.5

Kerodo wrote:
> Gerald, just for the sake of argument, what are the odds of this actually
> happening though? They wouldn't be able to scan your ports to see what's
> open, and they'd have to specifically target your machine for some reason,
> out of all the machines out there. Why would anyone send a UDP packet to
> my machine, especially if they couldn't see the result of their evil
> doings?

Are you connected directly to the internet? Let you firewall log all
incoming pings and connection requests and packets. Why would all these
come in? Nobody really wants to scan for ports that are open in the
first place. This is only interesting when you are looking for installed
backdoors which are obviously open. Before that, all you have to do is
to probe the computer at a particular IP address to see if it falls or
not. If it falls you are in, if not... well just go on 'cause there is
another one which will fall.

So to send a UDP packet worm that exploits some UDP service vulnerablity
(and slammer fitted so nicely into one packet) all you have to program
is something like:

for i = 1 to 254
for j = 1 to 254
send UDP packet to IP xxx.yyy.i.j

and pretty quickly you have spread yourself over a whole class B net. If
it is a DSL/dial-up range you have pretty good chances to catch a couple
of fishes. Certainly you won't run this script from your home but from
an already taken machine possibly inside the B net...

Gerald

Re: Huge security hole in Kerio 2.1.5

On Mon, 07 Mar 2005 18:54:46 GMT, Leythos wrote:

>On Mon, 07 Mar 2005 19:58:34 +0100, Laurent wrote:
>>
>> Leythos a écrit le 07/03/2005 :
>>> And now you know the drawback in using outdated software, especially
>>> outdated security software.
>>
>> I'm afraid you're right ! And yet, it's quite annoying to have to
>> change...
>> But if we must, maybe we will...
>
>I would like to say you are right, but you've got to realize that EVERY
>security product on the market is designed for the NOW threats and will
>have updates for a certain period of time after it's released. When a new
>version is released (not just an update), they will support one rev
>earlier, but that's about all in most cases.
>
>As an example, your v2 is very old, is not supported any longer, and you
>should be ready to implement a newer security product that directly
>addresses anything missed in the old application.
>
>At the same time, if you were to implement even a simple border device
>running NAT you would not have to rely on easily compromised personal
>firewall applications as much. The NAT box would have prevented the
>problem and still let you run your v2 software.

I agree with you. As I use a router, have no services running and have
a fix that works, I could still use 2.x But many Kerio users will
have to move on or be vulnerable.

HiS

Re: Huge security hole in Kerio 2.1.5

On Mon, 07 Mar 2005 19:06:25 GMT, CyberDroog
wrote:

>On Mon, 07 Mar 2005 19:50:52 +0100, Laurent
> wrote:
>
>>When I've asked (on this forum and some others) which was the best
>>choice between Kerio 2.1 and Kerio 4.x, the *unanimous* answer was :
>>Kerio 2 is far better than Kerio 4.
>>So I stayed on Kerio 2. Maybe an error...
>
>The reason for the dissing of Kerio 4.x is that it isn't just a firewall
>anymore. They had to go and add popup blocking and other stuff in there.
>They also changed the interface for the netstat view and such. It's much
>cleaner in v2.1.5 in some people's opinion.
>
>As many have pointed out, the "huge security hole" in v2.1.5 isn't really
>huge at all, and isn't really a vulnerability. Vulnerable to what? A
>fragmented UDP packet that the system won't respond to anyway?
>
>I still have v2.1.5 on one system and decided to test it. It passed with
>flying colors. No response to pings, even fragmented ones. Of course
>that's because of the NAT router config... I guess I'll have to accept
>other's words on the Kerio problem. I use it primarily for application
>protection.

Did you try the method Laurent suggested in the OP.
I thought it's main advantages were the application protection (for
which an exploit was recently published), and the logging, although
when the log was open in notepad it would stop updating.

HiS

Re: Huge security hole in Kerio 2.1.5

Post removed (X-No-Archive: yes)

Re: Huge security hole in Kerio 2.1.5

On Mon, 07 Mar 2005 19:48:08 +0100, Laurent wrote:

> Kerodo a écrit le 07/03/2005 :
>> My solution was to just not run Kerio 2 anymore. I've moved on to better
>> things..
>
> Which one, please ?

Try Jetico Personal Firewall. It's rules based, has stateful inspection
and is even more powerful than Kerio 2. You can do more things with it.
The interface is a little unusual at first, but you get used to it quickly
once you figure out what's where. It's free right now, but may not be in
the future. Very good though as a replacement for Kerio 2.

www.jetico.com

--
Kerodo

Re: Huge security hole in Kerio 2.1.5

Hassan I Sahba wrote:
> I agree with you. As I use a router, have no services running and have
> a fix that works, I could still use 2.x But many Kerio users will
> have to move on or be vulnerable.

With a router and no services running you won't even need Kerio.

Gerald

Re: Huge security hole in Kerio 2.1.5

On Tue, 08 Mar 2005 09:11:35 +0900, Gerald Vogt wrote:

> Kerodo wrote:
>> Gerald, just for the sake of argument, what are the odds of this actually
>> happening though? They wouldn't be able to scan your ports to see what's
>> open, and they'd have to specifically target your machine for some reason,
>> out of all the machines out there. Why would anyone send a UDP packet to
>> my machine, especially if they couldn't see the result of their evil
>> doings?
>
> Are you connected directly to the internet? Let you firewall log all
> incoming pings and connection requests and packets. Why would all these
> come in? Nobody really wants to scan for ports that are open in the
> first place. This is only interesting when you are looking for installed
> backdoors which are obviously open. Before that, all you have to do is
> to probe the computer at a particular IP address to see if it falls or
> not. If it falls you are in, if not... well just go on 'cause there is
> another one which will fall.
>

I'm connected to the internet via cable.. I've been looking at the logs
for years and all I ever see is mostly UPD to 1025-1029, a few pings, and a
few packets to other random ports now and then. Nothing much.

I don't use Kerio 2 any longer because it bothers me that frag'd packets
can get in. But I think it's more psychological than anything else. I
seriously doubt that anyone would bother trying to get packets into my
system, and if they did, they'd be shooting blind trying to hit what? If I
were running Kerio 2, I wouldn't worry about it much practically speaking.

Notice though, that I'm not running Kerio 2. :)

> Gerald


--
Kerodo

Re: Huge security hole in Kerio 2.1.5

On Mon, 07 Mar 2005 21:05:50 +0000, Hassan I Sahba wrote:

> If a fragmented SYN comes in, a SYN/ACK
> will go out and a fragmented ACK comes back.

This is where I think you're wrong.. If a fragmented SYN comes in, Kerio
will let it through, but NOTHING will go out, assuming you have halfway
decent rules in place. Kerio will block the outgoing reply.. No?


--
Kerodo

Re: Huge security hole in Kerio 2.1.5

On Sun, 06 Mar 2005 16:01:39 +0100, Laurent wrote:

> Hassan I Sahba a écrit le 06/03/2005 :
>> Many Kerio users don't seem to care.
>> Kerio doesn't care.
>> Use something else seems the best advise.
>
> Yes, but *what* else was my question...

Try Jetico PF as mentioned earlier today.. www.jetico.com

It's very good... better than Kerio...

--
Kerodo

Re: Huge security hole in Kerio 2.1.5

On Tue, 08 Mar 2005 10:57:55 +0900, Gerald Vogt
wrote:

>Hassan I Sahba wrote:
>> I agree with you. As I use a router, have no services running and have
>> a fix that works, I could still use 2.x But many Kerio users will
>> have to move on or be vulnerable.
>
>With a router and no services running you won't even need Kerio.
>
>Gerald

I've just installed it again to see the fix working, but it's not
running now. I know my keyboard is calling home to Microsoft at the
moment, so it's tempting to use a PF to stop it. I like the app
control even though I know that's been exploited recently. When I
decide on a distro (Astaro maybe) and find the time, there will be a
firewall as well. But it still might need a PF to keep the keyboard
and other stuff that wants to get out quiet.
I also used to like looking through the logs to see which ports had
been getting hammered lately.

HiS

Re: Huge security hole in Kerio 2.1.5

On Tue, 08 Mar 2005 09:11:35 +0900, Gerald Vogt
wrote:

>
>So to send a UDP packet worm that exploits some UDP service vulnerablity
>(and slammer fitted so nicely into one packet) all you have to program
>is something like:
>
> for i = 1 to 254
> for j = 1 to 254
> send UDP packet to IP xxx.yyy.i.j
>
>and pretty quickly you have spread yourself over a whole class B net. If
>it is a DSL/dial-up range you have pretty good chances to catch a couple
>of fishes. Certainly you won't run this script from your home but from
>an already taken machine possibly inside the B net...
>
>Gerald

That's just how 2.x firewalls could be found, by sending the packet to
port 44334 you would get the IP addresses of all users online in that
class B network.

HiS

Re: Huge security hole in Kerio 2.1.5

On Mon, 7 Mar 2005 21:43:53 -0800, Kerodo
wrote:

>On Mon, 07 Mar 2005 21:05:50 +0000, Hassan I Sahba wrote:
>
>> If a fragmented SYN comes in, a SYN/ACK
>> will go out and a fragmented ACK comes back.
>
>This is where I think you're wrong.. If a fragmented SYN comes in, Kerio
>will let it through, but NOTHING will go out, assuming you have halfway
>decent rules in place. Kerio will block the outgoing reply.. No?

No. If Kerio lets it through to the OS, and the service allows the
connection by sending a SYN/ACK, Kerio will let it out. I've seen the
packets come and go with Ethereal on both machines. Once through the
decision to connect or not is made by the service that is running. If
the service says yes Kerio allows any traffic the service is capable
of. It all boils down to what services are running behind the
firewall. Kerio can't refuse the connection, only the OS or the
services can.

HiS

Re: Huge security hole in Kerio 2.1.5

Hassan I Sahba wrote:
> That's just how 2.x firewalls could be found, by sending the packet to
> port 44334 you would get the IP addresses of all users online in that
> class B network.

No. I don't care about who's online or not. UDP packets have nothing to
do with finding someone. That's an ICMP packet that generally does that.
The firewall let's fragmented packets through, doesn't it? An fragmented
UDP packet goes through, too. If the UDP packet targets a Windows
service that is vulnerable it gets infected... I am talking about a
normal let's say slammer UDP packet that would go through your Kerio
unharmed. So if you install your Windows from CD and then your Kerio as
firewall before you go online to maybe download windows updates (which
you think you won't need as you have your Kerio, don't you?) during this
time someone may send you a fragmented UDP packet and infect your
machine through Kerio...

Gerald

Re: Huge security hole in Kerio 2.1.5

On Wed, 09 Mar 2005 01:17:42 +0000, Hassan I Sahba wrote:

> On Mon, 7 Mar 2005 21:43:53 -0800, Kerodo
> wrote:
>
>>On Mon, 07 Mar 2005 21:05:50 +0000, Hassan I Sahba wrote:
>>
>>> If a fragmented SYN comes in, a SYN/ACK
>>> will go out and a fragmented ACK comes back.
>>
>>This is where I think you're wrong.. If a fragmented SYN comes in, Kerio
>>will let it through, but NOTHING will go out, assuming you have halfway
>>decent rules in place. Kerio will block the outgoing reply.. No?
>
> No. If Kerio lets it through to the OS, and the service allows the
> connection by sending a SYN/ACK, Kerio will let it out. I've seen the
> packets come and go with Ethereal on both machines. Once through the
> decision to connect or not is made by the service that is running. If
> the service says yes Kerio allows any traffic the service is capable
> of. It all boils down to what services are running behind the
> firewall. Kerio can't refuse the connection, only the OS or the
> services can.
>
> HiS

But for Kerio to allow the service to communicate back out, your rules
would have to allow this outbound traffic from this service, right? So
you're assuming that there's a service listening on the port that receives
the packet and that your rules allow that service to send outbound traffic.

You're probably right.. I admit I don't know much about it. Just thinking
out loud.. :)


--
Kerodo

Re: Huge security hole in Kerio 2.1.5

On Wed, 09 Mar 2005 12:13:10 +0900, Gerald Vogt
wrote:

>Hassan I Sahba wrote:
>> That's just how 2.x firewalls could be found, by sending the packet to
>> port 44334 you would get the IP addresses of all users online in that
>> class B network.
>
>No. I don't care about who's online or not.

I think that because you are seeing it from the side of an automated
attack, while my testing has involved locating 2.x firewalls and
connecting to them.

> UDP packets have nothing to
>do with finding someone. That's an ICMP packet that generally does that.

I was referring to the method of sending the packets rather than their
type. Actually hping2 can scan with UDP packets that will easily
detect 2.x on the internet. It's a more subtle way of scanning because
most people would see ICMP traffic to common ports as a scan, whereas
UDP to common ports is more likely to be considered harmless as most
people don't know what a single UDP packet can do. Also UDP is less
likely to be logged.

>The firewall let's fragmented packets through, doesn't it? An fragmented
>UDP packet goes through, too. If the UDP packet targets a Windows
>service that is vulnerable it gets infected... I am talking about a
>normal let's say slammer UDP packet that would go through your Kerio
>unharmed. So if you install your Windows from CD and then your Kerio as
>firewall before you go online to maybe download windows updates (which
>you think you won't need as you have your Kerio, don't you?) during this
>time someone may send you a fragmented UDP packet and infect your
>machine through Kerio...
>
>Gerald

Exactly. If the registry fix doesn't work, which seems to be the case
with most OS's, 2.x will let them in.

HiS

Re: Huge security hole in Kerio 2.1.5

On Tue, 8 Mar 2005 19:59:43 -0800, Kerodo
wrote:

>On Wed, 09 Mar 2005 01:17:42 +0000, Hassan I Sahba wrote:
>
>> On Mon, 7 Mar 2005 21:43:53 -0800, Kerodo
>> wrote:
>>
>>>On Mon, 07 Mar 2005 21:05:50 +0000, Hassan I Sahba wrote:
>>>
>>>> If a fragmented SYN comes in, a SYN/ACK
>>>> will go out and a fragmented ACK comes back.
>>>
>>>This is where I think you're wrong.. If a fragmented SYN comes in, Kerio
>>>will let it through, but NOTHING will go out, assuming you have halfway
>>>decent rules in place. Kerio will block the outgoing reply.. No?
>>
>> No. If Kerio lets it through to the OS, and the service allows the
>> connection by sending a SYN/ACK, Kerio will let it out. I've seen the
>> packets come and go with Ethereal on both machines. Once through the
>> decision to connect or not is made by the service that is running. If
>> the service says yes Kerio allows any traffic the service is capable
>> of. It all boils down to what services are running behind the
>> firewall. Kerio can't refuse the connection, only the OS or the
>> services can.
>>
>> HiS
>
>But for Kerio to allow the service to communicate back out, your rules
>would have to allow this outbound traffic from this service, right?

The 1st rule was to block all TCP in both directions so everything was
denied permission to connect in or out.

> So you're assuming that there's a service listening on the port that
> receives the packet

There would have to be a service listening to make a TCP connection or
receive a UDP packet. Fragmented ICMP can tell if there is an open
port or not.

>and that your rules allow that service to send outbound traffic.

The services configuration, not the firewall rules. Kerio will allow
the traffic in both directions, despite the 1st rule.
If it is an HTTP server with no password, they can see your web page,
and it will be as secure as your server config allows.
If it is an anonymous FTP server then they have the rights of an
anonymous user. If it asks for a password they will have to guess or
crack it.
If it's an admin running a telnet server with no password....

His
>You're probably right.. I admit I don't know much about it. Just thinking
>out loud.. :)

Re: Huge security hole in Kerio 2.1.5

On Mon, 7 Mar 2005 21:45:49 -0800, Kerodo
wrote:

>Try Jetico PF as mentioned earlier today.. www.jetico.com
>
>It's very good... better than Kerio...

I see from their website that there's a new version out:

} v. 1.0.1.56 Freeware, 14th March, 2005.
} Log entries of the firewall now report detail on fragmented IP
} packets. Firewall system tray icon behaviour corrected, problem
} of incompatibility with games from Valve software fixed.

In the past you have mentioned that the user interface is somewhat
idiosyncratic. Has it got any better?
--
Philip

[Don't top post. Quote selectively. Don't use HTML. Enjoy Usenet]