[Full-Disclosure] Kerio firewall possible fragmentation issue
netw3_security at hushmail.com
Fri May 9 07:08:31 BST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Since the Kerio personal firewall is being picked on these days, I thought
I'd throw my two cents in. The firewall is free, so perhaps this is a
case of "you get what you pay for". Still, one expects firewall software
to perform at a certain level. In any case I found a potential issue,
but I'm unable to reproduce it - I didn't fully document all of the
conditions that were required for the issue to present itself (duh).
Basically, I was running the Kerio personal firewall on a Win2K pro box.
Firewall rules were in place to allow certain RFC1918 addresses access
to certain ports. All other source IP's were supposed to be dropped.
An nmap scan from the Internet through fragrouter indicated that the
ports were open. I checked my results at the time, and only those ports
that should have allowed local LAN access were reported as open. I may
have used nmap's fragmentation options, but for some reason I got distracted
and did not document the exact conditions and cannot reproduce. This
could be some type of fluke, but at the time it seemed lke a problem.
At the very least, there could be a problem in the way Kerio handles
packet fragmenation, posibly allowing fragmented exploits to walk right
through in certain cases.
I realize this is vague. I've since ditched Kerio and have not bothered
to follow up on this. I didn't really expect the fragrouter based attacks
to really accomplish anything, but I guess there are still uses for the
Curt R. Wilson
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
-----END PGP SIGNATURE-----
Full-Disclosure is hosted and sponsored by Secunia.