UDP bypassing in Kerio Firewall 2.1.4

["David F. Madrid" <conde0 () telefonica net>]

Issue : UDP bypassing in Kerio Firewall

Affected product : Kerio Firewall 2.1.4 ( last build in his website )

Vendor status : vendor was contacted months ago

Tested Enviroment : switched LAN

Description :

Kerio develops a free firewall thats ships with default rules . Every
incoming / outgoing packet is compared against the default ruleset . As
the first rule accepts incoming packets if remote port is equal to 53 (
DNS ) the firewall can be easily bypassed just setting the source port of
the attack to 53
Exploit : nmap -v -P0 -sU -p 1900 192.168.0.5 -g 53

Recomendations : set a rule to restrict the local ports to a range of
1024-5000 for DNS connections

-- 
Regards ,

David F. Madrid
Madrid , Spain

www.nautopia.org


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html