Bug: Kerio Fake 'iphlpapi' DLL injection Vulnerability ( Ascii Version )

Search:
WLB2

Kerio Fake 'iphlpapi' DLL injection Vulnerability

Published
Credit
Risk
2007.01.05
Matousec - Transparent security Research (research matousec com)
Medium
CWE
CVE
Local
Remote
N/A
CVE-2007-0081
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
10/10
3.1/10
Exploit range
Attack complexity
Authentication
Local
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

Hello,

We would like to inform you about a vulnerability Sunbelt Kerio Personal Firewall:

Description:

When Sunbelt Kerio Personal Firewall (SKPF) loads dependant modules, it relies on the operating system. System library
iphlpapi.dll is located in the system directory but the main SKPF service, which requires and loads this DLL, is located

in the installation directory of SKPF. This is why it tries to find iphlpapi.dll in its installation directory at first

and then, if it is not found in this directory, it tries to find it in the system directory. Moreover, it is possible to

create new files in the installation directory of SKPF. A malicious application can create a fake iphlpapi.dll in the
installation directory of SKPF, which will be loaded by the operating system into the SKPF service during its
initialization. This is how the malicious application is able to execute an arbitrary code inside SKPF service and
bypass any of its security mechanisms.

Vulnerable software:

* Sunbelt Kerio Personal Firewall 4.3.268
* Sunbelt Kerio Personal Firewall 4.3.246
* probably all versions of Sunbelt Kerio Personal Firewall 4
* possibly older versions of Sunbelt Kerio Personal Firewall

More details and a proof of concept including its source code are available here:
http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injectio
n.php

Regards,

--
Matousec - Transparent security Research
http://www.matousec.com/

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version