<<< Date Index >>>     <<< Thread Index >>>

[CAN-2004-1023] Insecure default file system permissions on Microsoft versions of Kerio Software



______________________________________________________________________


           Secure Computer Group - University of A Coruna
                   http://research.tic.udc.es/scg/

                              -- x --

          dotpi.com Information Technologies Research Labs
                        http://www.dotpi.com

______________________________________________________________________

ID:                        #20041214-2
Document title:            Insecure default file system permissions on
Microsoft versions of Kerio Software
Document revision:         1.0

Coordinated release date:  2004/12/14
Vendor Acknowledge date:   2004/11/10
Reported date:             2004/11/08

CVE Name:                  CAN-2004-1023

Other references:          N/A
______________________________________________________________________

Summary:

  Impact:                  Privilege escalation
                           System sofware tampering
                           Trojan injection
                           Second-stage attack vector
                           Alter configuration files

  Rating/Severity:         Low
  Recommendation:          Update to latest version
                           Enforce file system ACLs

  Vendor:                  Kerio Technologies Inc.

  Affected software:       Kerio WinRoute Firewall (all versions)
                           Kerio ServerFirewall (all versions)
                           Kerio MailServer (all windows versions)

  Updates/Patches:         Yes (see below)
______________________________________________________________________

General Information:

  1. Executive summary:
     ------------------

     As a result of its collaboration relationship the Secure Computer
     Group (SCG) along with dotpi.com Research Labs have determined
     the following security issue on some Kerio Software.

     Kerio WinRoute Firewall, Kerio ServerFirewall and Kerio MailServer
     are installed by default under 'Program Files' system folder. No
     change is done to the ACLs after the installation process.

     As a result, anyone belonging to the 'Power Users' system group
     would be able to modify binary files of services running as
     LOCALSYSTEM, drop malicious DLLs the plug-ins folder or perform
     any change on the XML files where the service settings are
     stored.

     System administrators should enforce ACL security settings in
     order solve this problem. It is also highly recommended to
     verify this settings as part of the planning, installation,
     hardening and auditing processes.

     New versions of the software solve this an other minor problems
     so it is upgrade its highly recommended.


  2. Technical details:
     ------------------

     Following the latest trends and approaches to responsible
     disclosure, SCG and dotpi.com are going to withhold details of
     this flaw for three months.

     Full details will be published on 2005/03/14. This three month
     window will allow system administrators the time needed to
     obtain the patch before the details are released to the general
     public.


  3. Risk Assessment factors:
     ------------------------

     The attacker would need local interactive access to the
     installation directory. Remote access is also possible but
     default system settings do not make this easy.

     The most risky scenarios are the ones in which the server machine
     is shared among two or more users or those situations where Kerio
     service management have been delegated to a third party any other
     than local or domain system administrator.

     Special care should be taken on such environments and every step
     of the project: design, planning, deployment and management
     should consider this security issues.

     Privilege escalation, system and software tampering and the
     ability to alter service configuration are all real issues and
     all of them can be used as a second stage attack vector.


  4. Solutions and recommendations:
     ------------------------------

     Enforce the file system ACLs and/or upgrade to the latest
     versions:

        o Kerio Winroute Firewall 6.0.9
        
        o Kerio ServerFirewall 1.0.1

        o Kerio MailServer 6.0.5

     As in any other case, follow, as much as possible, the Industry
     'Best Practices' on Planning, Deployment and Operation on this
     kind of services.


  5. Common Vulnerabilities and Exposures (CVE) project:
     ---------------------------------------------------

     The Common Vulnerabilities and Exposures (CVE) project has
     assigned the name CAN-2004-1023 to this issue. This is a
     candidate for inclusion in the CVE list (http://cve.mitre.org),
     which standardizes names for security problems.

______________________________________________________________________

Acknowledgements:

  1. Special thanks to Vladimir Toncar and Pavel Dobry and the whole
     Technical Team from Kerio Technologies (support at kerio.com)
     for their quick response and professional handling on this issue.

  3. The whole Research Lab at dotpi.com and specially to Carlos Veira
     for his leadership and support.

  3. Secure Computer Group at University of A Coruna (scg at udc.es),
     and specially to Antonino Santos del Riego powering new research
     paths at University of a Coruna.

______________________________________________________________________

Credits:

  Javier Munoz (Secure Computer Group) is credited with this discovery.

______________________________________________________________________

Related Links:

  [1] Kerio Technologies Inc.
      http://www.kerio.com/

  [2] Kerio WinRoute Firewall Downloads & Updates
      http://www.kerio.com/kwf_download.html

  [3] Kerio ServerFirewall Downloads & Updates
      http://www.kerio.com/ksf_download.html

  [4] Kerio MailServer Downloads & Updates
      http://www.kerio.com/kms_download.html

  [5] Secure Computer Group. University of A Coruna
      http://research.tic.udc.es/scg/

  [6] Secure Computer Group. Updated advisory
      http://research.tic.udc.es/scg/advisories/20041214-2.txt

  [7] dotpi.com Information Technologies S.L.
      http://www.dotpi.com/

  [8] dotpi.com Research Labs
      http://www.dotpi.com/research/

______________________________________________________________________

Legal notice:

  Copyright (c) 2002-2004 Secure Computer Group. University of A Coruna
  Copyright (c) 2004 dotpi.com Information Technologies S.L.

  Permission is granted for the redistribution of this alert
  electronically. It may not be edited in any way without the express
  written consent of the authors.

  If you wish to reprint the whole or any part of this alert in any
  other medium other than electronically, please contact the authors
  for explicit written permission at the following e-mail addresses:
  (scg at udc.es) and (info at dotpi.com).

  Disclaimer: The information in the advisory is believed to be
  accurate at the time of publishing based on currently available
  information. Use of the information constitutes acceptance for use
  in an AS IS condition.

  There are no warranties with regard to this information. Neither the
  author nor the publisher accepts any liability for any direct,
  indirect, or consequential loss or damage arising from use of, or
  reliance on, this information.
_____________________________________________________________________