Kerio Fake 'iphlpapi' DLL injection Vulnerability

2007.01.05
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 10/10
Exploitability Subscore: 3.1/10
Exploit range: Local
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hello, We would like to inform you about a vulnerability Sunbelt Kerio Personal Firewall: Description: When Sunbelt Kerio Personal Firewall (SKPF) loads dependant modules, it relies on the operating system. System library iphlpapi.dll is located in the system directory but the main SKPF service, which requires and loads this DLL, is located in the installation directory of SKPF. This is why it tries to find iphlpapi.dll in its installation directory at first and then, if it is not found in this directory, it tries to find it in the system directory. Moreover, it is possible to create new files in the installation directory of SKPF. A malicious application can create a fake iphlpapi.dll in the installation directory of SKPF, which will be loaded by the operating system into the SKPF service during its initialization. This is how the malicious application is able to execute an arbitrary code inside SKPF service and bypass any of its security mechanisms. Vulnerable software: * Sunbelt Kerio Personal Firewall 4.3.268 * Sunbelt Kerio Personal Firewall 4.3.246 * probably all versions of Sunbelt Kerio Personal Firewall 4 * possibly older versions of Sunbelt Kerio Personal Firewall More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injectio n.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top