| View previous topic :: View next topic |
| Author |
Message |
LoPhatPhuud
Security Expert
Microsoft MVP
Joined: Mar 09, 2002
Posts: 2229
|
 Posted: Sun Oct 01, 2006 8:13 pm Post subject: Securiteam notice of Kerio vulnerability |
|
|
For full information see:
http://www.securiteam.com/windowsntfocus/6D0090AH5O.html
Original article posted here:
http://www.matousec.com/info/advisories/Kerio-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php
-----
Kerio Multiple Insufficient Argument Validation of Hooked SSDT Function Vulnerability
Hooking SSDT functions requires extra caution. SSDT function handlers are executed in the kernel mode but their callers are executed in the user mode. Hence all function arguments come from the user mode. This is why it is necessary to validate these arguments properly. Otherwise a simple user call can easily crash the whole system. This bug usually results in a system crash. However, it may happen that this bug is even more dangerous and can lead to the execution of an arbitrary code in the privileged kernel mode.
Sunbelt Kerio Personal Firewall hooks many functions in SSDT and in at least six cases it fails to validate arguments that come from user mode. User calls to NtCreateFile, NtDeleteFile, NtLoadDriver, NtMapViewOfSection, NtOpenFile, NtSetInformationFile with invalid argument values can cause system crashes because of errors in Kerio drivers fwdrv.sys and khips.sys. Further impacts of this bug (like arbitrary code execution in the kernel mode) were not examined.
Vulnerable software:
* Sunbelt Kerio Personal Firewall 4.3.268
* Sunbelt Kerio Personal Firewall 4.3.246
* Sunbelt Kerio Personal Firewall 4.2.3.912
_________________
Duct tape is like the Force. It has Light side and a Dark side and it holds the world together.
Microsoft MVP/Consumer Security 2005-2008
|
|
| Back to top |
|
 |
saz
Guest
IP: 87.3.*.*
|
|
| Back to top |
|
|
Dwarden
Private
Joined: Oct 14, 2002
Posts: 39
Location: Czech_Republic
|
| Posted: Mon Oct 02, 2006 3:25 pm Post subject: |
|
|
why Sunbelt bought nearly 2 months ago security report about KPF and was not able fix these bugs in time ?
anyone from Sunbelt wanna comment some light on this ?
it seems that in end i'm waiting for security tests & reports about Outpost 4 to decide if scrap KPF completely ...
|
|
| Back to top |
|
|
MarkB
Guest
IP: 80.229.*.*
|
| Posted: Tue Oct 03, 2006 3:49 pm Post subject: |
|
|
| Dwarden wrote: |
it seems that in end i'm waiting for security tests & reports about Outpost 4 to decide if scrap KPF completely ... |
Or you can use Comodo which is now a mature program and passes all leak tests.
Mark
|
|
| Back to top |
|
|
earthsound
Trooper
Joined: Mar 10, 2005
Posts: 21
Location: USA
|
| Posted: Tue Oct 10, 2006 1:42 pm Post subject: |
|
|
Just curious to see if Sunbelt has had any response to this problem and whether a beta was available to test a fix for this.
Here is the CVE-2006-5153 vulnerability summary:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5153
david
|
|
| Back to top |
|
|
pcguy999
Private
Joined: Apr 19, 2005
Posts: 44
Location: USA
|
|
| Back to top |
|
|
Graham1
Captain
Joined: Dec 21, 2005
Posts: 340
|
| Posted: Sat Oct 14, 2006 4:39 pm Post subject: Re: Does Comodo push ads? |
|
|
Well, I've been using CF and CAVS for a while now and I've seen no such ads.
|
|
| Back to top |
|
|
earthsound
Trooper
Joined: Mar 10, 2005
Posts: 21
Location: USA
|
| Posted: Mon Oct 16, 2006 3:05 pm Post subject: Re: Does Comodo push ads? |
|
|
By "ads" Alan means that Comodo can show you it's other free offerings within the Launch Pad application...which is sort of a central command app to control the various Comodo products you could have installed on your machine. And even in Launch Pad, you have to click in order to see what they offer. A screenshot is here:
http://forums.comodo.com/index.php/topic,173.msg1853.html#msg1853
The launchpad does not push ads to users via popups, nag screens, etc.
The worst thing he complained about the Launch Pad (and don't forget, this is 5 month old news) at the time was that there was "no documentation or mention of the add on software at Comodo’s web site. As well, there is no method to un-install the software without removing the desired application".
I haven't installed any Comodo software recently, so I cannot comment as to the validity of that statement in the current versions of Comodo software.
david[/b]
|
|
| Back to top |
|
|
Graham1
Captain
Joined: Dec 21, 2005
Posts: 340
|
|
| Back to top |
|
|
J-Mac
Trooper
Joined: Aug 13, 2006
Posts: 27
Location: USA
|
| Posted: Wed Oct 18, 2006 3:46 am Post subject: |
|
|
Just for the record, yes, Comodo does currently install the Launch Pad app without disclosure, and it is true that it cannot be removed without uninstalling the firewall.
At least it was true five weeks ago with the latest version of their firewall.
Other than being surprised that it was silently installed, I saw no particularly suspicious activity from it.
|
|
| Back to top |
|
|
LoPhatPhuud
Security Expert
Microsoft MVP
Joined: Mar 09, 2002
Posts: 2229
|
| Posted: Wed Oct 18, 2006 4:13 am Post subject: |
|
|
J-Mac,
The latest version, 2.3.6.81, does not install LuanchPad.
_________________
Duct tape is like the Force. It has Light side and a Dark side and it holds the world together.
Microsoft MVP/Consumer Security 2005-2008
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
