dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3251

geico$
join:2002-02-26
Honolulu, HI

geico$

Member

Kerio 2.1.1 Released

Fixes to some minor bug issues:

2.1.1 - March 12, 2002
+ Updated about dialog
- fixed "too small packet bug"
- fixed bug: driver crashes on Win9x when no network
components

Also the release history shows what was done from Beta 5 to Final release version 2.1:

2.1.0 Final - March 11, 2002
+ KPF now includes documentation with installation
+ added checkbox "Dont Ask For Each Access To My Shared Folder/Printer"
+ subnet mask auto-insertion feature in filter rules editor
+ cooperation with system modules improved on Win9x systems
+ communication with licensing server is now encrypted
- removed bug "HookCreateService"
- spoofing of "persfw.exe" is no longer possible
- fixed bug in Alert Dialog (DeleteAll + Last Button)
- removed checkbox "Ask For Action When No Rule Found" for consistency with rule settings
- fixed managing of executables accross network shares

[text was edited by author 2002-03-12 17:51:01]

Murray3
join:2001-03-06
Texas

Murray3

Member

Thanks a lot geico! Nice to see Kerio making the updates...

Hmmm... the Kerio.com site still shows the latest release (in it's downloads section) as 8 March.

[text was edited by author 2002-03-12 17:58:25]
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to geico$

Premium Member

to geico$
2.1.0 Final - March 11, 2002(aka March 8, 2002)
- spoofing of "persfw.exe" is no longer possible

Ahem... BS!!!

At this time the download is still 2.1.0, and it looks like they haven't even uploaded version 2.1.1 yet! I can't even manually change the download link at this time.

When its available, this link should work:
http://download2.kerio.com/dwn/kpf/kerio-pf-211-en.exe

[text was edited by author 2002-03-12 18:16:44]

gwion
wild colonial boy

join:2000-12-28
Pittsburgh, PA

gwion to geico$

to geico$
Good eyes, GOOD eyes. And good news. Perhaps this addresses the issues we were discussing over the last few days? hmmm... looks like it from the release notes oops. No it doesn't. Looked at the wrong ones.. ... Thanks. On my way!!!

Well, the release is posted, but the link is still pointing at pfw210 ... so, I'll root around and see what I can find... sit tight!


- spoofing of "persfw.exe" is no longer possible

...I believe this issue is unresolved in 2.1.0, but I genuinely hope it's fully resolved in 2.1.1 --- as soon as the installer is available. They're still pointing to 2.1.0 ...
gwion

gwion to geico$

to geico$
Well, we'll keep this near the top. Anyone who sees anything, PLEASE, post an alert. Seems to me this could be an important release, with the unresolved issue floating around. By the way, please note that it looks like they have addressed the "too small packet" issue we've run into a few times...
Now, if they can get the masquerade issue right, we'll be off in the right direction.

Sunriser13
Premium Member
join:2001-12-16
Umm... here?

Sunriser13 to geico$

Premium Member

to geico$
Well, as of 9:00 AM, available for download is still:

Current version: 2.1.0
Release date: March 8, 2002

Keeping it up top...
**BUMP**
Sunriser13

Sunriser13 to geico$

Premium Member

to geico$
The download still points to the March 8 version, but the Release History has been updated as follows...

2.1.1 - March 13, 2002
+ Updated about dialog
- fixed "too small packet bug"
- fixed bug: driver crashes on Win9x when no network components
- "persfw.exe" cannot be renamed while running

Perhaps soon...

gwion
wild colonial boy

join:2000-12-28
Pittsburgh, PA

gwion to geico$

to geico$
This has been a common situation since the early days of Tiny. I get a little frustrated, sometimes, but I also appreciate proactive development and design. But this looks promising. Looks like what we want to see, here. Let's keep this near the top, as a reminder. If the fix is indeed there, we'll have what I personally see as a "mandatory patch" real soon...
forgo0
join:2002-03-10

forgo0 to BlitzenZeus

Member

to BlitzenZeus
said by BlitzenZeus:
When its available, this link should work:
http://download2.kerio.com/dwn/kpf/kerio-pf-211-en.exe
It appears as though this link is working now. Go get it!

Revcb
Orbis non sufficit
Mod
join:2001-07-05
Jackson, MI

Revcb

Mod

It is still not available from the Kerio site, but a post in the Yahoo group has a download link (which is the same one provided by BlitzenZeus I believe).

Murray3
join:2001-03-06
Texas

Murray3 to forgo0

Member

to forgo0
Cool.

2.1.1 is now downloaded and installed on my PC.

When I get time, I will see if I can test out the ol' firewall spoofing to see if that's still an issue.

Sunriser13
Premium Member
join:2001-12-16
Umm... here?

Sunriser13 to geico$

Premium Member

to geico$
HEY, Y'ALL!! Download link on Kerio site has now been updated...

Product - download

Current version: 2.1.1
Release date: March 13, 2002

Let the games begin...

geico$
join:2002-02-26
Honolulu, HI

geico$

Member

Great its there now

Downloading in progress...

pompeyfan
Premium Member
join:2001-12-25
Australia

pompeyfan to geico$

Premium Member

to geico$
Bloody ripper, got it!

Await the verdict of you experts before I install.

geico$
join:2002-02-26
Honolulu, HI

geico$

Member

Here is something i spotted which is new in Kerios History report for 2.1.1 - March 13, 2002

- "persfw.exe" cannot be renamed while running

Murray3
join:2001-03-06
Texas

Murray3

Member

said by geico:
Here is something i spotted which is new in Kerios History report for 2.1.1 - March 13, 2002

- "persfw.exe" cannot be renamed while running
That statement holds true on my PC.

(Win2000, NTFS, Kerio 2.1.1).

Sunriser13
Premium Member
join:2001-12-16
Umm... here?

Sunriser13 to geico$

Premium Member

to geico$
By the by...although the link BlitzenZeus posted earlier worked for me, this appears to be the one now...at least this is what's on the site.

»download.kerio.com/dwn/kpf2-en

Install program name changed to "kpf2-en" for some reason...

EDIT--My mistake--leads to the same program---SORRY!!

geico$
join:2002-02-26
Honolulu, HI

geico$ to Murray3

Member

to Murray3
You may not be able to rename it anymore but is it checking a MD5 signature now or not still i wonder?

Just for extra security i would think it should ,

I dont know any reason why it shouldnt.

Also did anyone here notice on the front of Kerio's Administration part now the top level of security is called "Deny Unknown" , it used to be called "Cut me Off".

[text was edited by author 2002-03-13 16:24:40]

Murray3
join:2001-03-06
Texas

Murray3 to geico$

Member

to geico$
I have a few spare moments to check the persfw.exe masquerading issue. (Where the firewall was/is vulnerable as far as other apps called persfw.exe exiting out of the PC using port 80).

Any ideas on the simplest way to test it?

geico$
join:2002-02-26
Honolulu, HI

geico$

Member

Im not sure Murray, dont worry about it right now if you dont have much time.

I was just curious on auto-updates & so on when it goes out if it was going to check itself now before going out & also make you aware of the fact.

Im not sure what you could do to test this if you can no longer rename Persfw.exe .

I assume its not checking itself yet, but lets hope i am wrong

Now maybe what they have done is enough , but you would still think it should be checking just for extra security for a MD5 signature just to make sure & also in some form notifying you either in the logs or pop up message that it wants to go out.

[text was edited by author 2002-03-13 16:54:22]

Murray3
join:2001-03-06
Texas

Murray3 to geico$

Member

to geico$

Masquerade Test of Kerio 2.1.1

I have tried to test out the masquerade issue with Kerio. Note, I am not sure I have performed the test correctly, but here's what I did and my observations...

1. Installed Kerio 2.1.1

2. Kerio did not generate an MD5 for PERSFW.exe
At least, it definitely did not list any MD5 signature in it's MD5 list.

3. I shutdown PERSFW.exe and renamed it to PERSFW2.exe

4. I opened PERSFW2.exe (the genuine firewall) and it launched Kerio successfully.

5. Copied IEXPLORE.exe from it's folder, to the Kerio Application folder... and renamed it to PERSFW.exe

6. Launched the fake PERSFW.exe (IE) and Internet Explorer launched.
However, it could not connect to any web site. It failed with a DNS error each time.

7. At this moment, Kerio (PERSFW2.exe) created an MD5 signature for the fake PERSFW.exe.
The MD5 signature contained the path to the fake PERSFW.exe and showed the icon as that of IE.

8. I closed and removed the fake PERSFW.exe (Internet Explorer).

9. Closed Kerio and renamed it from PERSFW2.exe back to PERSFW.exe

10. Launched Kerio.

11. The MD5 list continued to show the MD5 for PERSFW.exe and now showed the icon as that of Kerio.

Summary
Surely something is still up here?
Kerio did not create an MD5 for itself until I used a fake PERSFW.exe
At this time, it created the MD5. I can understand this, as it created the MD5 due to PERSFW.exe wanting to go out to the Internet for the first time.

However, when I reopened Kerio genuinely (having renamed it back from PERSFW2.exe to PERSFW.exe) surely it should have recognized the different EXE and should have therefore prompted me if I wanted to allow the new application? It did not.

Therefore, my two final comments are...

1) Kerio does not make an MD5 for itself until PERSFW.exe (genuine or fake) tries to access the Internet.

2) If a fake PERSFW.exe tries to connect outbound, Kerio will make an MD5... but following the removal of the fake application, when the genuine PERSFW.exe opens I see no prompt that Kerio recognizes a new PERSFW.exe opening.

I have a feeling I have done the test incorrectly for the Masquerading issue... but thought I would at least flag these findings.

Is this cause for concern? Is there a functional problem or am I interpreting things wrong?

[text was edited by author 2002-03-13 17:08:07]

Zupe
MVM
join:2001-11-29
New York, NY

Zupe to geico$

MVM

to geico$

Re: Kerio 2.1.1 Released

Thanks for testing this Murray. I'll hopefully be home in about an hour and plan to do some tests myself. From what you posted, I have to agree that it still seems like the real persfw.exe is not running an MD5 check on itself. I really wish they'd incorporate that or at least provide a reason why that isn't possible. Two questions for you: 1) Were you running with the "check for new version" option enabled? If you were, it would seem the first check for an update when you launched the firewall should have created the MD5 signature for persfw.exe when it tried to check for an update, 2) If you run "Check MD5s" or whatever it's called on that tab, are your MD5 signatures ok'd or does it flag the persfw.exe one as invalid? If it accepts that, it's effectively saying there's no difference in the signatures for the real Persfw.exe and the IE "fake", which is obviously wrong.

Murray3
join:2001-03-06
Texas

Murray3

Member

Thanks for responding.
said by Zupe:
1) Were you running with the "check for new version" option enabled?
No, I do not have the 'check for updates' option checked.
said by Zupe:
2) If you run "Check MD5s" or whatever it's called on that tab, are your MD5 signatures ok'd or does it flag the persfw.exe one as invalid?
Good point to raise and one I'm glad you did, as I overlooked that.
Upon pressing the 'Check MD5' button, Kerio did flag the MD5 sig as being incorrect. So this looks like it is working in this respect.

One further thing of note here, is the fact that I did not use a password at any point during this test. I think gwion is due to respond soon, incorporating some details about this in his response. I think you'll agree that all may become somewhat clarified when we see his response.

[text was edited by author 2002-03-13 17:22:20]

Sunriser13
Premium Member
join:2001-12-16
Umm... here?

Sunriser13 to Murray3

Premium Member

to Murray3

Re: Masquerade Test of Kerio 2.1.1

said by Murray:

7. At this moment, Kerio (PERSFW2.exe) created an MD5 signature for the fake PERSFW.exe.
The MD5 signature contained the path to the fake PERSFW.exe and showed the icon as that of IE.

---snip---

11. The MD5 list continued to show the MD5 for PERSFW.exe and now showed the icon as that of Kerio.


When you ran your test, did you happen to notice whether the MD5 signature that the "fake" (IE) created in Step 7 was the same as the MD5 signature reported at Step 11 for the now correct persfw.exe?

--EDIT--
Well, y'all beat me to the punch while I was typing my post...damn slow fingers...

gwion
wild colonial boy

join:2000-12-28
Pittsburgh, PA

gwion to geico$

to geico$

Re: Kerio 2.1.1 Released

Partially. You had to shut down the firewall. But your methodology is very sound, otherwise. The release notes indicate, and I've already proved, that the system now keeps the exe locked after it loads on my NT test machine. That means you can't rename it.

Here's where I made a mistake. I keep Kerio passworded. It's impossible to unload it without the password. All firewalls would be, to one or another extent, vulnerable to masquerade. If the file can be locked, it prevents replacement of the file because the file can't be shut down.

Now, let me also point out that I force an MD5 check before and after, too, on the MD5 screen of the firewall set up.

It's VERY important, even CRUCIAL, to note that Tiny and Kerio are not run of the mill consumer toss out freeware apps. They're the active PC firewall component in both the CMDS enterprise security platform, and in winroute pro. I suspect that the ability of PERSFW.exe to communicate with a central server is essential functionality in such installations. I'm still out researching that, myself. I haven't had much chance to browse that.

Now, I also see that PERSFW exe DOES create an MD5 for itself. However, I'm still showing the (incorrect) MD5 from 2.1.0, right now. Forcing a check on the MD5 page reveals that. I have received no alerts, opening the firewall interface, though. Is it checking? es, maybe we do have a minor issue, here. Maybe not. However, the "red alert" seems to be in stand down, as I see it.

I frankly have always advised using a password, over the time I used this firewall, why? because I can... and nobody can script my password! This is a concern with ANY firewall. What was a critical flaw, as I saw it, was that the firewall could be running, and still be "violated" this way.

Until I learn more about the functionality this firewall supports in a broader, integration environment (where it is derived from, and where it's used in corporate installs), I have to, speaking for myself, and after "I" play with this (verify, replicate, verify! ) this satisfies me, at least on first blush.

Murray3
join:2001-03-06
Texas

Murray3 to Sunriser13

Member

to Sunriser13

Re: Masquerade Test of Kerio 2.1.1

said by Sunriser13:
When you ran your test, did you happen to notice whether the MD5 signature that the "fake" (IE) created in Step 7 was the same as the MD5 signature reported at Step 11 for the now correct persfw.exe?
The path, EXE and MD5 algorithm was exactly the same for both steps.

The only difference being the icon of the sig, which is understandable, as it must take the icon from the active EXE using that sig.
Murray3

Murray3 to gwion

Member

to gwion

Re: Kerio 2.1.1 Released

Grateful as always for your response, gwion.
said by gwion:
Now, let me also point out that I force an MD5 check before and after, too, on the MD5 screen of the firewall set up.
What are your methods for doing this? (Just out of curiosity).
said by gwion:
Now, I also see that PERSFW exe DOES create an MD5 for itself. However, I'm still showing the (incorrect) MD5 from 2.1.0, right now. Forcing a check on the MD5 page reveals that.
This is one of the places I am getting confused a little. (It doesn't take a lot ).

When I install Kerio, it does not place an MD5 signature in the MD5 list.

Are you saying it creates a sig for itself after you have forced it to? Or are you saying it creates one, period? If this, then how so?

gwion
wild colonial boy

join:2000-12-28
Pittsburgh, PA

gwion to geico$

to geico$
I'm going out to test this more in depth. Suffice to say that if authentication prevents the exploitation, that's about the best a PC firewall can be expected to do. Now, I'm talking user auth; MD5 authentication is another story. Now, I've seen the MD5 in my list. It's the old one though, and I have the firewall connected... however, I'm not sure whether this is purposely designed, to support integration in a corporate environment... as can be seen, the original bug wuld be a virtual nightmare in a corporate environment, though, where hands-on employee tampering is a top concern.

It was a nightmare PLUS on a personal computer, where there would usually be no "choke point", in the sense of a border firewall and a management console intervening, and the sandbox component is absent. I'm standing down, and I'm running a few more tests, before I say more. For right now, I'll just say I'm a LOT happier than I was yesterday... and I really appreciate Kerio's prompt action on this. Even if it's not perfect... nothing ever is... it's a step in the right direction.

Murray3
join:2001-03-06
Texas

Murray3

Member

said by gwion:
For right now, I'll just say I'm a LOT happier than I was yesterday... and I really appreciate Kerio's prompt action on this. Even if it's not perfect... nothing ever is... it's a step in the right direction.
Me too!

I'd say with the findings I have right now, that I am happier too, with this new release.

It's pretty tight if you set that all important password.

gwion
wild colonial boy

join:2000-12-28
Pittsburgh, PA

gwion to geico$

to geico$
Yes. I should be stressing it more. Even a trivial password is better han nothing, even on a stand alone one user system. Face it, what's our biggest threat? Trojans and script exploits. Nobody can contemplate a password in a script.

Well, here's my initial report. I placed the "off by one" stand alone executable in the Kerio binary directory, tried to rename the file PERSFW.exe ... failed. File locked . Great so far. I then tried to rename the browser as "PERSFW.jpg.exe (common trojan trick); it seemed to have detected the correct file header information when it prompted for access, not the name I had in the directory; it correctly identified the software.

I denied and it was unable to connect out.

As to the checking of the PERSFW.exe MD5, I'm still out, on that. All software has some issues, and, as I said above, this may not be an issue, but an accomodation for some of the integration features we don't use on personal systems, at least, not yet...

The problem is, on a firewall, a feature can't compromise security while enhancing it, if that makes sense. It's not MS Word or something like that. We depend on it for overall security ... Something like that was serious, and I'm really pleased to see that Mr. Kolar handled it responsibly and promptly... and I'll give him the doubt that, even if we aren't exactly where we want to be, I've coded a little, myself, and I know he probably isn't, either. So long as he makes a proactive effort to get closer to perfection, follows with improved releases, and makes good on our trust by patching things up promptly in the interim, that's all we can reasonably ask.

Soon as I'm satisfied I'm not getting out any other ways, I'll post mortem this, assuming that's what's in order. Thanks, all. I can't help thinking your alertness helped improve a firewall, today, before we had to learn the hard way. Great job.

This MD5 issue could bear some looking at, down the road, but I don't think it's as critical, on the scale of things ... I need more background on the firewall and the integration elements before I feel competent, though, to comment or experiment much with that one... I'm already reading up on the background... meanwhile... Keep up the great work! Let's go help some people set up firewalls, now... and hope when the smoke clears we can finally stand down, now...

PS- need we say, this looks like a mandatory upgrade for anyone using any prior Kerio releases. Tiny 2.0.15 is still subject to a worse variation, in which the masquerading file can be in ANY directory on yur filesystem, and manage to escape undetected... concerned users can downgrade to v. 2.0.14 or can use Kerio, current release 2.1.1, until Tiny addresses this (or drops the firewall? We're entirely unclear whether they're planning a 3.0 release, as of now... they spoke of it some time back... but some suspect it will be Kerio 3.0 ... nobody knows, it seems, yet. So, for some, I suppose, the vigil continues ?