Kerio Firewall FWDRV Driver Local DoS
SUMMARY
" http:</http:> Kerio Personal Firewall represents smart,
easy-to-use personal security technology that fully protects personal
computers against hackers and internal misuse"
“Kerio ServerFirewall offers IT and security administrators a powerful and
easy-to-use tool to protect their server systems from worms, buffer-overflow
and other internet security threats.”
Lack of proper permissions validation allow local attackers to cause the
Kerio Firewall to crash.
DETAILS
Vulnerable Systems:
* Kerio Personal Firewall version 4.2.0
* Kerio Server Firewall version 1.1.1
FWDRV driver (core part of the firewall system) monitors all programs that
are trying to connect to the Internet. While doing necessary checks, FWDRV
parses the Process Environment Block (PEB) like the code shows:
text:0041C04E mov ecx, [ebp+var_4] ; ECX = PEB base
text:0041C051 mov edx, [ecx+0Ch] ; EDX = PEB_LDR_DATA
However while parsing the PEB FWDRV doesn’t check if the memory with Process
Environment Block is accessible. It means that if attacker will set
PAGE_NOACCESS or PAGE_GUARD protection to the PEB block the FWDRV will cause
an fatal exception and the machine will crash.
Example:
Executing connect api function with previously PAGE_NOACCESS protection set
to Process Environment Block will cause an local machine crash.
ADDITIONAL INFORMATION
The information has been provided by mailto:xxxxx Piotr
Bania.
The original article can be found at:
http:
http://pb.specialised.info/all/adv/kerio-fwdrv-dos-adv.txt</http:></mailto:xxxxx>