Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
3
Replies

5740:0 Kerio Personal Firewall Remote Authentication Buffer Overflow

m-hansson
Level 1
Level 1

‎05-21-2006 01:43 AM - edited ‎03-10-2019 03:01 AM

Triggers on certain ftp data traffic. Unfortunatly I cannot supply pcap data (customer network).

Perhaps you can tune the regexp to be slightly more intelligent (check for a real Kerio Personal Firewall?).

Thanks.

Labels:
0 Helpful
3 Replies 3

aroethli
Level 1
Level 1

‎05-22-2006 06:15 AM

Mattias,

This signature detects a very specific data structure and offset on a high order port(44334) that is normally unique to the Kerio PFW administration application.

Port 44334 is used for Tiny Personal Firewall or Kerio Personal Firewall administration.

Of course, some FTP clients and PASV FTP can allow random port assignments for the data stream, so this signature could certainly fire in this case if there were a match.

Also, technically any application that could allow custom use of port 44334 might have the potential to randomly fire this signature.

But I would think it would be a very uncommon coincidence of properly formatted/offset data and the port.

We'll look into this though, and in the meantime if there is any way you could provide a pcap, that would help quite a bit.

I understand that is unlikely, however at this point all of our testing was unable to reproduce a FP so any suspect sample you might provide could be very helpful.

We'll also update the documentation of this signature to indicate that some benign triggers may exist. The key differentiator would be that if the client is not running Kerio PFW or Tiny PFW, this is a benign trigger.

Thank you for bringing this to our attention.

Al

IPS Signature Development Team

0 Helpful

m-hansson
Level 1
Level 1
In response to aroethli

‎05-24-2006 11:29 AM

Thanks for your answer.

Very large amounts of data are transferred through this network with passive ftp. It seems that this data sometimes matches the "very specific data structure and offset".

Since it triggers avg. 8 times per day at this sensor I figured there might be something you could do about it.

I havn't looked into this vulnerability but is it really necessary to check every packet in this tcp stream? Checking the first(s) packet(s) would probably reduce the FP drasticly.

0 Helpful

aroethli
Level 1
Level 1
In response to m-hansson

‎05-24-2006 02:22 PM

Actually, since we have this tied to Exact Match Offset, this is the offset within the stream, not just a single packet. So this is actually the most exact location within the stream that we can provide.

One thing you didn't mention was the version your customer was running. Are they running 4.x or 5.x?

If they are running 5.x we can provide a custom META signature that you could configure for them that would reduce the FP. The risk is that the new custom META will miss most variants of the Kerio vulnerability as demonstrated by some test suites available as they do not mimic or require the full authentication exchange for the Kerio PFW. So I don't think this is a very valuable solution.

In my opinion, since this is an older vulnerability, if your customer does not normally run KPW on their clients, it may make sense to disable this signature for their network.

In the meantime I'll look into this further to see if we can increase the fidelity, but from my research this is the best solution for catching most varieties of exploitations of this vulnerability, especially if they mutate.

Al

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card