Kerio 2.1.5 Vulnerabilities!!

[REM]

Chaos Master <[email protected]> wrote:

My favorite is Kerio 2.xx. Works like a charm with file sends on IRC.

I would agree with you, but in another thread:

<[email protected]>

http://www.firewallleaktester.com/wwdc.htm

Check the link. The site has several programs you can run to test outbound
capabilities. Kerio 2.1.5 ranks pretty low. I'm doing the various tests now.

These are trojan type tests it looks like, rather than the solicitation type
tests at GRC.

I'm trying the tests listed for XP for which Kerio 2.1.5 is reported to be
vulnerable. I'm completely updated critical updatewise. I score perfect stealth
at GRC:

TooLeaky (defeated Kerio)
PCAudit (unsuccessful!)
AWFT (9/10 defeats Kerio)
Thermite (defeated Kerio)
CopyCat (defeated Kerio)
WB (defeated Kerio)
PCAudit (defeated Kerio)
Ghost (defeated Kerio)
DNSTester (defeated Kerio)
Surfer (defeated Kerio)

Man, either my Kerio settings are way off or the firewall is very ineffective
for these types of exploits! I'm shocked at what some of these programs were
able to show.

Maybe it's just XP exploitability. Can anyone else running Kerio 2.1.5 try these
tests and report the success rates? Especially with Win 9x and ME.

 

[John Corliss]

(clipped)
TooLeaky (defeated Kerio)
PCAudit (unsuccessful!)
AWFT (9/10 defeats Kerio)
Thermite (defeated Kerio)
CopyCat (defeated Kerio)
WB (defeated Kerio)
PCAudit (defeated Kerio)
Ghost (defeated Kerio)
DNSTester (defeated Kerio)
Surfer (defeated Kerio)

Man, either my Kerio settings are way off or the firewall is very ineffective
for these types of exploits! I'm shocked at what some of these programs were
able to show.
Maybe it's just XP exploitability. Can anyone else running Kerio 2.1.5 try these
tests and report the success rates? Especially with Win 9x and ME.

REM,
Intentionally downloading programs like these in order to test a
firewall isn't what I consider to be a good idea. Remember that some
Trojans once installed, are able to disable firewalls. The idea is to
keep them off of your system in the first place.

 

[REM]

REM,
Intentionally downloading programs like these in order to test a
firewall isn't what I consider to be a good idea. Remember that some
Trojans once installed, are able to disable firewalls. The idea is to
keep them off of your system in the first place.

That's true and I started to write that, but I didn't. If you have kids using
the PC as I do you never know what they might install, intentionally, tricked,
or trojaned. So, it seems important that the system be able to handle as many
exploits as possible. Kerio, unfortunately, scores pretty low in comparison to
other firewalls, some of which are commercial.

Also, none of these disabled Kerio as far as I can see. They simply utilized
Windows to reroute through programs and services maked as OK in Kerio. I suggest
giving these a try in ME just to see some capabilities of _known and published_
exploit techniques for your own interest. I was hoping that Art would try hese
also.

I have read further though and this looks like, shoulda guess it, a Windows
leak. The default settings for XP are dangerous, but hey, they work for
everyone! The firewall cannot contain massive leaks that Windows itself
provides.

I'm in the process of trying safer settings and then I'll try the exploits again
and see if Kerio performs better.

This page was linked from the page that contains the exploits and is pretty good
in explaining the Windows default settings problem and fix.

http://www.blackviper.com/WinXP/servicecfg.htm

I've been exploited myself twice and was forced to do a complete reinstall. I
think the real problem was that during both installs I was cramped for time and
never tweaked the default Windows settings and services running. I did look at
GRC, but he hasn't really done anything for XP as far as this goes. The above
link is a better choice for XP settings.

One quick fix I read about, setup IE in Kerio and explicity deny! That's just
the tip of the iceburg I fear. The above site does offer registry files that can
be merged to correct most problems in the default Win settings.

I'm hoping that the initial results were the result of MS settings and not
Kerio.

 

[Steve H]

Also, none of these disabled Kerio as far as I can see. They simply utilized
Windows to reroute through programs and services maked as OK in Kerio. I suggest
giving these a try in ME just to see some capabilities of _known and published_
exploit techniques for your own interest. I was hoping that Art would try hese
also.

Kerio uses MD5 signatures for permitted apps - so in theory another
app masquerading as an allowed service would trigger a
response...wouldn't it?
Surely, if you have the firewall admin password protected there should
be no way a rogue app could gain permission?

I use password protection on my setups, and for the kid's computer I
have Kerio set to its highest level ( deny all except allowed ).
On my own system I allow for prompting, just to keep an eye on things.

Regards.

 

[jo]

Intentionally downloading programs like these in order to test a
firewall isn't what I consider to be a good idea.

There is nothing wrong at all with installing leak tests in order to see
how your firewall handles them. There are many valuable lessons that can
be learnt.

Remember that some
Trojans once installed, are able to disable firewalls.

REM was not installing trojans... unless he was getting his leak test
apps from really dubious sources

The idea is to
keep them off of your system in the first place.

Trojans you mean? Yep.

 

[REM]

(e-mail address removed) ( Steve H) wrote:

Kerio uses MD5 signatures for permitted apps - so in theory another
app masquerading as an allowed service would trigger a
response...wouldn't it?
Surely, if you have the firewall admin password protected there should
be no way a rogue app could gain permission?

That's why I was so shocked. Evidently there are ways of hijacking apps that are
set to allow connections. Notepad is one I have because I use Crypt Edit, which
replaces notepad.exe and I allow it to connect. Windows Explorer is another that
was set. I'm not sure if I set WE, or if that was default.

I use password protection on my setups, and for the kid's computer I
have Kerio set to its highest level ( deny all except allowed ).
On my own system I allow for prompting, just to keep an eye on things.

I have kerio set to highest after keeping an eye on things for a couple of
weeks. There are so many scanners trying to connect it became tedious closing
boxes pretty quickly.

I've just merged a reg labled as SAFE from the Black Viper site. I'm going to
run the exploits again and see if Windows was the real culprit. I've fully
trusted Kerio 2.1.5 for so long it's going to hurt if it does fail again.

 

[Steve H]

That's why I was so shocked. Evidently there are ways of hijacking apps that are
set to allow connections. Notepad is one I have because I use Crypt Edit, which
replaces notepad.exe and I allow it to connect. Windows Explorer is another that
was set. I'm not sure if I set WE, or if that was default.

That sounds rather worrying - but then if a rogue app could do that in
such a way as to bypass Kerio, wouldn't it work for all other software
firewall solutions?

I have kerio set to highest after keeping an eye on things for a couple of
weeks. There are so many scanners trying to connect it became tedious closing
boxes pretty quickly.

I've just merged a reg labled as SAFE from the Black Viper site. I'm going to
run the exploits again and see if Windows was the real culprit. I've fully
trusted Kerio 2.1.5 for so long it's going to hurt if it does fail again.

I use one of the Sponge rulesets as my starting point, and I guess I
hope that's sufficient to keep any of the nasties out. It certainly
does away with the vast majority of casual scan alerts.
Trouble is, I've tried the competition and despite the relatively
steep learning curve with Kerio, it really does seem to be the one
that works for me...unless it really does have some major holes!

Regards,

 

[REM]

I'm trying the tests listed for XP for which Kerio 2.1.5 is reported to be
vulnerable. I'm completely updated critical updatewise. I score perfect stealth
at GRC:

TooLeaky (defeated Kerio) 3k
PCAudit (unsuccessful!) 43k
AWFT (9/10 defeats Kerio) 878k (install)
Thermite (defeated Kerio) 28k
CopyCat (defeated Kerio) 54k
WB (defeated Kerio) 16k
PCAudit2 (defeated Kerio) 97k
Ghost (defeated Kerio) 11k
DNSTester (defeated Kerio) 24k
Surfer (defeated Kerio) 20k

Above is the test without XP services tweaking.

Below is the same tests after tweaking XP services to safe and running "Windows
Worms Doors Cleaner," which makes sure 5 common worm entries are closed:

http://www.firewallleaktester.com/wwdc.htm (WWDC page)


The results are the same. Not good for Kerio 2.1.5. I only have minimal services
running now. Below are other steps I tried:

-----------------------------------------------------------------------------------------------
At this point I closed all internet traffic using Kerio and all programs were
stopped.

So, the Kerio can close everything down, but it can not stop these programs if
internet access is on..

-----------------------------------------------------------------------------------------------

So, I uninstalled Kerio, reinstalled it, set it to popup on any requests that
have no rules set, unticked everything that was ticked by default and I set
rules only for Agent, Thunderbird, and Avant.

All programs defeated Kerio except PcAudit, which failed the first try

-----------------------------------------------------------------------------------------------

I don't know what else to do...

I set a Kerio rule for Internet Explorer explicitly denying all internet access
and got somewhat better results.

This stopped CopyCat, Firehole, Surfer, TooLeaky and WallBreaker, so these must
focus on IE weaknesses.

DNSTester, Ghost, PCAudit2, Thermite and AWFT are still viable exploits!
-----------------------------------------------------------------------------------------------

I'm curious if XP/Kerio alone is vulnerable, or if all Win versions/firewalls
(freeware and commercial) crumble when these tiny programs are executed. The
link above has the exploits if anyone else cares to try. They are quick to dl
and execute.

If XP alone is vulnerable I think I will downgrade back to 98SE. This is not
good news at all.

 

[Aaron]

(e-mail address removed) ( Steve H) wrote in

Rem
I'm suprised you are not familar with leak tests. Since Steve Gibson's
famous original leak tests, dozens of such tests have sprung out, each
using ingenious methods to bypass outward bound filtering.


In general no, MD 5 signatures only work, if some software renamed itself
to have the same name as a trusted app, but it would then have a different
MD5 hash. This was the original crude method used by the original leak test
by Steve Gibson.

But nowdays leak tests don't use such methods.

Process/DLL injection, misuse of hardcorded rules,"piggybacking" on trusted
apps, exploiting weaknesses in the filtering by a lower level transmission
etc are some of the methods used these days.

Read the leakpaper document here
http://www.firewallleaktester.com/docs/leaktest.pdf


They don't need to change your firewall rules, they exploit weakness built
in the firewall.

That sounds rather worrying - but then if a rogue app could do that in
such a way as to bypass Kerio, wouldn't it work for all other software
firewall solutions?

Correct. There is no known firewall that can block all publicly known leak
tets, though some are better. And no, not using Internet explorer (a
commonly targetted trusted app) doesn't count as a workaround, since the
leak test could target anything.

A lot of experts are of the opinon that (perhaps short of a process
sandbox) once a malware gets in, it's game over. The poor firewall is often
placed in the impossible position of figuring out where the request for an
outbound connection finally orginates from, and this is impossible since
it's not really it's job to know such things unless it is the OS!

The only somewhat sure way of defeating leak tests is not only to control
processes that connect outwards (as firewalls do) but also a means of
controlling ALL processes as they start. Some firewalls like Kerio 4
already have this built in.

Or you could use a seperate solution like system safe monitor (overly
complicated), or Processguard (the free version - allows you to protect one
process will be shutdown but allows you to lock processes from starting
except those whitelisted). These applications will prompt you whenever a
process starts, or when one tries to start another.

For your kids computer, you might run it , make it recognise all the
legimate processes, then lock it. That way , the leak test or something
similar won't even get to run, and that stops it cold.

I use one of the Sponge rulesets as my starting point, and I guess I
hope that's sufficient to keep any of the nasties out.

But it's unlikely to stop leak tests, unless you know for sure the ip
address that it will be transmitting out to.


It certainly

does away with the vast majority of casual scan alerts.
Trouble is, I've tried the competition and despite the relatively
steep learning curve with Kerio, it really does seem to be the one
that works for me...unless it really does have some major holes!

It does have some holes, like the problem with dealing with fragmented
packets, but in terms of leak tests, I can assure you if you are worried
about those, you will probably drive yourself nuts since no firewall gets
them all.

 

[Aaron]

There is nothing wrong at all with installing leak tests in order to see
how your firewall handles them. There are many valuable lessons that can
be learnt.

Yes, like if you are careless and download/run some particularly evil
malware, chances are you are dead, regardless of your defences.

 

[REM]

(e-mail address removed) ( Steve H) wrote:

That sounds rather worrying - but then if a rogue app could do that in
such a way as to bypass Kerio, wouldn't it work for all other software
firewall solutions?

Yes, I saw all kinds of phrases I'm not familiar with. There were dll exploits,
hijackers and all sorts of methods to simply use what Bill has made available to
do an end run around Kerio and other firewalls to some degree.

I use one of the Sponge rulesets as my starting point, and I guess I
hope that's sufficient to keep any of the nasties out. It certainly
does away with the vast majority of casual scan alerts.
Trouble is, I've tried the competition and despite the relatively
steep learning curve with Kerio, it really does seem to be the one
that works for me...unless it really does have some major holes!

If you want to try one, try the PCAudit2 (97k .exe). Start it, open an editor
and type something, and then finish running it. This thing will email html a
photo of your editor, what you typed and a token file listing just to give an
example of how wide open you are if this bit of code, or similar code, makes it
to memory.

http://www.firewallleaktester.com/leaktest12.htm


I felt pretty secure before Francois posted the site and I began playing around
with it. I feel pretty darned naked and somewhat foolish for feeling secured
right now.

As long as you can control what comes in and is executed there should be no
problems. With kids, I just don't see how to stop what might come & execute
without getting a sandbox that only allows named programs to execute.

 

[Aaron]

Of course, you are talking about the difference between outbound and
inbound protection. Inbound protection is much easier generally (hence
MS's XP firewall!), because for most home computers you are not running
anything as a server so the firewall basically blocks anything except for
relies to outbound requests.

Above is the test without XP services tweaking.

Below is the same tests after tweaking XP services to safe and running
"Windows Worms Doors Cleaner," which makes sure 5 common worm entries
are closed:

http://www.firewallleaktester.com/wwdc.htm (WWDC page)


The results are the same. Not good for Kerio 2.1.5. I only have
minimal services running now. Below are other steps I tried:

Sorry, leak tests (with some exceptions that use services to request
connections) do not rely on services to run. What wwwdc does is to close
ports , so that you are not vulernable to inbound attacks even if your
firewall is down.

I don't know what else to do...

Investigate system safety monitor, abtrusioner protector or proccessguard
(free).

The only way to be certain of beating leak tests is to restrict processes
from starting at all, or from starting others (a common way of tricking
firewalls).

As I mentioned above, run one of them in test mode. Allow those
processes, then lock down and prevent other processes from running.
On your own computer, you can set it to "prompt".

I set a Kerio rule for Internet Explorer explicitly denying all
internet access and got somewhat better results.

This stopped CopyCat, Firehole, Surfer, TooLeaky and WallBreaker, so
these must focus on IE weaknesses.

Of course, it would be trival to modify them to use Firefox, Opera etc,
and you are back where you are. MSIE has weaknesses, but in this case,
it's not targetted at IE weakness specifically. To not use IE does not
solve the root of the problem which is the firewall not recognising the
ultimate source of the outbound connection.

DNSTester, Ghost, PCAudit2, Thermite and AWFT are still viable
exploits!

Of course. DNSTester I believe for example exploits the DNS service. This
can be stopped if I recall correctly by tightening the rules for DNS.

I'm curious if XP/Kerio alone is vulnerable, or if all Win
versions/firewalls (freeware and commercial) crumble when these tiny
programs are executed. The link above has the exploits if anyone else
cares to try. They are quick to dl and execute.

Most are vulnerable, though some tests do rely on specfic NT features.

Hope this helps.

 

[JanC]

REM schreef:

DNSTester

This probably "abuses" DNS connections. But you can't use the internet
(comfortably) without DNS, so blocking it completely is not a good idea...

 

[NT Canuck]

A lot of experts are of the opinon that (perhaps short of a process
sandbox)

may help...freebie not tested...
http://www.sandboxie.com/

 

[John Corliss]

That's true and I started to write that, but I didn't. If you have kids using
the PC as I do you never know what they might install, intentionally, tricked,
or trojaned. So, it seems important that the system be able to handle as many
exploits as possible. Kerio, unfortunately, scores pretty low in comparison to
other firewalls, some of which are commercial.

Also, none of these disabled Kerio as far as I can see. They simply utilized
Windows to reroute through programs and services maked as OK in Kerio. I suggest
giving these a try in ME just to see some capabilities of _known and published_
exploit techniques for your own interest. I was hoping that Art would try hese
also.

I have read further though and this looks like, shoulda guess it, a Windows
leak. The default settings for XP are dangerous, but hey, they work for
everyone! The firewall cannot contain massive leaks that Windows itself
provides.

I'm in the process of trying safer settings and then I'll try the exploits again
and see if Kerio performs better.

This page was linked from the page that contains the exploits and is pretty good
in explaining the Windows default settings problem and fix.

http://www.blackviper.com/WinXP/servicecfg.htm

I've been exploited myself twice and was forced to do a complete reinstall. I
think the real problem was that during both installs I was cramped for time and
never tweaked the default Windows settings and services running. I did look at
GRC, but he hasn't really done anything for XP as far as this goes. The above
link is a better choice for XP settings.

One quick fix I read about, setup IE in Kerio and explicity deny! That's just
the tip of the iceburg I fear. The above site does offer registry files that can
be merged to correct most problems in the default Win settings.

I'm hoping that the initial results were the result of MS settings and not
Kerio.

My last rule is the infamous "Deny all" one. When I install a reliable
program that needs to contact a server to download updates (Ad-Aware
for instance) then I temporarily turn that rule off and tell the new
program to try and call out. Once Kerio alerts me and I set a new rule
for the program, then I turn the "Deny all" rule back on.

I don't have any Trojans or virii at this point, never really have
except for the "Happy99" back in '99. That one was actually quite
entertaining and was easy to remove. Taught me a lesson too.

I say, "IVIDWURGZDOANMEZWIDIT." 80)>

 

[REM]

Aaron <[email protected]> wrote:

Sorry, leak tests (with some exceptions that use services to request
connections) do not rely on services to run. What wwwdc does is to close
ports , so that you are not vulernable to inbound attacks even if your
firewall is down.

I see.

Investigate system safety monitor, abtrusioner protector or proccessguard
(free).

Will do. This is a slap in the face. I don't see what could prevent most anyone
from grabbing the code for one of these and sticking it into pretty much any
application, GPL, whatever. There would be no outbound warnings. Until someone
discovered it, it could be distributed all over as a new application with minor
cosmetic changes. That's really scary.

Most are vulnerable, though some tests do rely on specfic NT features.

Hope this helps.

Yes, it does.

 

[JanC]

REM schreef:

Will do. This is a slap in the face. I don't see what could prevent
most anyone from grabbing the code for one of these and sticking it
into pretty much any application, GPL, whatever. There would be no
outbound warnings. Until someone discovered it, it could be
distributed all over as a new application with minor cosmetic changes.
That's really scary.

The "problem" for a trojan would be to find out which applications are
allowed to "go out".

 

[jo]

REM schreef:


The "problem" for a trojan would be to find out which applications are
allowed to "go out".

Nope. They can just keep trying till they get a hit. I spent quite a bit
of time with leak tests a few months ago and remember being interested
to see 'notepad' trying to connect out.

 

[jo]

Yes, like if you are careless and download/run some particularly evil
malware, chances are you are dead, regardless of your defences.

I get the impression from reading some of your posts that you regard the
internet as a particularly scarey place to be...

 

[jo]

I don't know what else to do...

Hang around comp.security.firewalls for a while.

Do a bit of research.

This is a nice site:

http://www.hackerwhacker.com/