[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Kerio Fake 'iphlpapi' DLL injection Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Kerio Fake 'iphlpapi' DLL injection Vulnerability
- From: Matousec - Transparent security Research <research@xxxxxxxxxxxx>
- Date: Mon, 01 Jan 2007 14:05:49 +0100
Hello,
We would like to inform you about a vulnerability Sunbelt Kerio Personal
Firewall:
Description:
When Sunbelt Kerio Personal Firewall (SKPF) loads dependant modules, it relies
on the operating system. System library
iphlpapi.dll is located in the system directory but the main SKPF service,
which requires and loads this DLL, is located
in the installation directory of SKPF. This is why it tries to find
iphlpapi.dll in its installation directory at first
and then, if it is not found in this directory, it tries to find it in the
system directory. Moreover, it is possible to
create new files in the installation directory of SKPF. A malicious application
can create a fake iphlpapi.dll in the
installation directory of SKPF, which will be loaded by the operating system
into the SKPF service during its
initialization. This is how the malicious application is able to execute an
arbitrary code inside SKPF service and
bypass any of its security mechanisms.
Vulnerable software:
* Sunbelt Kerio Personal Firewall 4.3.268
* Sunbelt Kerio Personal Firewall 4.3.246
* probably all versions of Sunbelt Kerio Personal Firewall 4
* possibly older versions of Sunbelt Kerio Personal Firewall
More details and a proof of concept including its source code are available
here:
http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injection.php
Regards,
--
Matousec - Transparent security Research
http://www.matousec.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/