 gwionwild colonial boyPremium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1 | Kerio - Tiny users... issue confirmed on Kerio.. Kerio PFW appears vulnerable to app spoofing under certain limited conditions. An application renamed "persfw.exe" can contact any IP on remote port 80 without being processed by the firewall. This has already been confirmed. Renaming the application "glview.exe" on my own machine to "persfw.exe" allowed me to browse a VRML world, despite a first rule in Kerio to "deny tcp/udp any remote host remote port 80 both directions". Trying to use the originally named application failed and was stopped by the firewall. As was unproxied IE traffic. The results were replicated twice, identical results in both the renamed app and the "control" app.
Wiseguy has said he's reproduced this with Tiny v. 2.0.15; we need some more controlled tests. If anyone can reproduce this, either in Kerio or in Tiny 2.0.15 or .15a, can you please post details? While I at first hesitated to post this, I realized that the cat is now well out of the bag with or without my help. The badguys already must know, if we do. It's important that the issue be addressed in as timely a fashion as possible, and identifying it's reproducability's important, right now.
The potential threat level's pretty significant, but I'm not aware of any existing exploits on this, yet. Seems like a breaking news item. I don't advise Kerio/Tiny users to panic, but I do advise everyone keep a close eye out for patches addressing this issue... if the issue turns out being pervasive, I believe it would be in order that it be addressed in a VERY timely fashion. I hope Tiny and Kerio both live up to their well earned reputation for rapid, proactive development and deployment. It could be a serious and completely unacceptable vulnerability.
--
A man who carries a cat by the tail is getting experience that will always be helpful. He isn't likely to grow dim or doubtful. Chances are, he isn't likely to carry the cat that way again, either. But if he wants to, I say, let him. --Mark Twain |
|
 BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 | Very bad, just tested it myself, and it didn't even check the path or MD5  |
|
 ZupePremium,MVM
join:2001-11-29
New York, NY | reply to gwion
As mentioned in the other thread where this issue was brought to light, I've also confirmed this with Kerio beta 5. After inserting the same "deny tcp/udp any remote host remote port 80 both directions" rule gwion mentioned as the first rule in my Kerio config, I was unable to access the net through IE, as would be expected, but when I copied the IE executable file to my desktop and renamed it to Persfw.exe, I was allowed to connect despite the block rule. I also attempted to create a rule to specifically block the "fake" persfw.exe application and it was still permitted to connect. In addition, the "fake" persfw.exe file appeared in the MD5 signature section of Kerio and when tested was listed as "checksum ok". This issue also appears to have been confirmed with Tiny firewall, both on the GRC.com site and by Wiseguy on this site.
Hopefully a patch for this issue will be provided quickly, as it does seem to have the potential to be a major problem. On a side note, given the recent parting of ways between the TinySoftware and Kerio entities, I'm curious as to where a patch for Tiny 2.0.15 would originate, from Tiny or Kerio?
--
Pinky: I think so Brain but if you replace the P with an O, my name would be Oinky wouldn't it? |
|
| reply to gwion
Uh, oh....I'm pretty sure Kerio will fix this and the next beta will be out very soon... |
|
gwionwild colonial boyPremium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1 | reply to gwion
I am, too. I think it's important that we be aware, though, that this has been identified, and that we keep a VERY close eye out for patches and updates, and all consider them mandatory. I always found Tiny proactive and responsive, and Kerio is the former developer, so I trust they'll maintain their reputation for integrity and deploy a fix as soon as practical.
--
A man who carries a cat by the tail is getting experience that will always be helpful. He isn't likely to grow dim or doubtful. Chances are, he isn't likely to carry the cat that way again, either. But if he wants to, I say, let him. --Mark Twain |
|
| reply to gwion
I just zapped a byte in my Kerio VXD driver. It seems to have made the problem go away. Obviously I've only tested a little, but it does seems to work. I'm using Win98SE.
Should I post what I did? Or would people feel better if it was tested for a while.
Regardless, it seems rather simple and surely Kerio will jump right on it. Since Tiny hasn't released a version for a while their version may require "patching". If my fix works for Kerio someone can do the same for Tiny. |
|
|
|
| reply to gwion
Hopefuly this will not be too difficult. However, after zapping it I am surprised to see where Kerio went looking for a version update  |
|
BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 Reviews:
 ·Frontier FiOS
| Yes, please tell us what you did!
You just altered one byte in the VXD driver, and it catches the persfw.exe, even its own attempts now??
--
"Leave it to the catholics to destroy existence"
"You can change ideas, but its harder to change beliefs" -Dogma |
|
| reply to gwion
This is only regarding Kerio beta 5. The offset does NOT apply to any other version of any other product.
It makes sense that the FWDRV.VXD driver is what lets "persfw.exe" programs have their way with port 80. There is only a few occurences of that program name in the VXD. One of them is at offset 055CC. I changed the hex 50 (the 'P' in PERSFW.EXE} to a binary zero. Now Kerio can't compare the program name for "persfw.exe" and find a match.
A hex editor is required. The FWDRV.VXD file is in the SYSTEM directory.
PLEASE make a backukp before attempting to modify the file. An incorrect patch may be disasterous! A reboot is probably required to get the modified VXD loaded.
If required I can post a link to a patched VXD, but I think you guys are pretty hex-savy. |
|
 PapaDosCum Grano SalisPremium,MVM
join:2001-02-08
Lasalle, QC
kudos:2 | I am still running TPF 2.0.14.
It doesn't show that behavior, the attempt was trapped correctly (renaming iexplorer) .
--
Nunc est bibendum... |
|
BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 Reviews:
·Frontier FiOS
| That is very interesting... .14 doesn't let persfw.exe do anything it wants, and .15 does? ....or did you only test iexplore?
Hell if .14 doesn't have this problem it sounds like I should downgrade my install on XP right now even though .15 fixed that date bug..... I just don't wan to put beta software on my XP right now.
--
"Leave it to the catholics to destroy existence"
"You can change ideas, but its harder to change beliefs" -Dogma
[text was edited by author 2002-02-25 03:34:19] |
|
PapaDosCum Grano SalisPremium,MVM
join:2001-02-08
Lasalle, QC
kudos:2 | said by BlitzenZeus:
That is very interesting... .14 doesn't let persfw.exe do anything it wants, and .15 does? ....or did you only test iexplore?
Not sure I understand.
What I did is to rename IExplorer to persfw.exe and launch it.
An alert box similar to the one shown by inTulsa popped up.
By the way the date bug is only apparent for december, it is ok now... for a few months at least, LOL.
--
Nunc est bibendum... |
|
BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 | Ok then you did it correctly
Any file named persfw.exe was passing through the firewall like it didn't exist. |
|
BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 Reviews:
·Frontier FiOS
| reply to inTulsa
It works!!! Thank you inTulsa Ok, I tried to attach it to my post, but DSLR is being flaky at this late hour. So I will post the altered file tomorrow for those who want to replace their current 'holy' version
Its great to actually be prompted for actions that are usually hidden from you, and now the firewall is subject to its own rules!!
Everything is working fine, and I have no new problems.
--
"Leave it to the catholics to destroy existence"
"You can change ideas, but its harder to change beliefs" -Dogma
[text was edited by author 2002-02-25 04:04:57] |
|
| reply to gwion
Re: Kerio - Tiny users... issue confirmed on Kerio.. Here's a zip that contains a patched VXD for Kerio 5 beta: [link was removed]
The zip's also got the GIF of what was altered. It's on @home web space and they're shutting down in a few days. Maybe by then beta 6 will be out or better resolutions will have been identified.
I assume (but have not verified) that the same VXD is also used for Win2K and XP?
Thanks to the many for raising and addressing the issue. Tomorrow's another day.
[text was edited by author 2002-02-25 15:34:58] |
|
BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 Reviews:
·Frontier FiOS
| I'm not sure if they are exactly the same, but they are exactly the same size when I compared our files. So its only an assumption that they are identical for all OS's at this time.
[text was edited by author 2002-02-25 14:25:31] |
|
PapaDosCum Grano SalisPremium,MVM
join:2001-02-08
Lasalle, QC
kudos:2 | I really don't like the new "feature" .
Any idea what they were trying to do at Kerio/Tiny ?
I stopped upgrading at 2.0.14 because I didn't like the fact that they were trying to do too many things at the same time. TPF used to be a very simple and effective tool.
I don't know about the newer version and what to think after the merge of the two companies...
--
Nunc est bibendum... |
|
BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 Reviews:
·Frontier FiOS
| I think the problem came from the 'check for updates' feature since that seems to be the main difference other than the logo change with .15
I'm sure if they have as good as a team that they did before this will be fixed soon in Kerio. I really doubt they will update Tiny.....
--
"Leave it to the catholics to destroy existence"
"You can change ideas, but its harder to change beliefs" -Dogma |
|
| reply to gwion
Re: Kerio - Tiny users... issue confirmed on Kerio The issue seems to have been resolved in the next beta:
From: "Stanislav Kolar"
Date: Mon Feb 25, 2002 10:04 am
Subject: Re: [keriofirewall] Any app named "persfw.exe" allowed to access the net!
This issue is already solved and fix will be included in
next release of KPF
2.1.0 (available during this week)...
S. Kolar (skolar@k...) |
|
gwionwild colonial boyPremium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1
| reply to gwion
Re: Kerio - Tiny users... issue confirmed on Kerio.. I have a lot of faith in both Mr. Kolar's word and his intention to remain proactive in his responses to these sorts of things... and that Tiny and Kerio will retain their reputation for prompt upgrades. I hope they'll continue living up to it, and I expect a patch, soon. A warning to the "casual user." Hex editing a file on your own can have some serious side effects. That's for the power users only, who understand the risks and potentials for creating an unintended side effect. I haven't had a chance to look at the change it makes, but, remember, we don't want to hatch a tarantula killing a centipede!  That said, I'll defer comment on that department to BlitzenZeus, who seems pretty articulate with the ol' hexed... for myself, I'm most interested in seeing a prompt patch for this... after all, we need a solution for all users, not just for ourselves... and the most vulnerable users will be the ones who've never even seen this thread or any of the complimentary threads at yahoo and elsewhee...
... and as soon as something's available, I hope and trust we will have a link, here, and we'll make sure that the "mandatory upgrade" is properly publicized. thanks for all the remarks, tips and confirmations.
For now, from what I can see, what we have is a confirmed issue affecting TPFW v. 2.0.15 and 2.0.15a, and Kerio PFW, all beta versions up to beta 5... sound correct? Thanks, one and all, for the comments, tips and time ... more info as it becomes available!
PS- be advised, winNT4 uses a traditional [fwdrv.SYS] kernel mode driver, not a virtual device driver... just wanted to pass that along. The NT4 security model severely limits the functionality of VxD's on the system, making them less than an ideal way of implementing a driver (like a firewall) that requires a high security context to work well... therefore, NT users won't even find a "fwdrv.VXD" on their system... FYI...
--
A man who carries a cat by the tail is getting experience that will always be helpful. He isn't likely to grow dim or doubtful. Chances are, he isn't likely to carry the cat that way again, either. But if he wants to, I say, let him.
--Mark Twain
[text was edited by author 2002-02-25 13:07:22] |
|
