Archived from groups: comp.security.firewalls (
More info?)
Well, I will see if I can reproduce this at all on my system, I'm very
familiar with how Kerio 2x works, and I've just setup monitoring of outbound
icmp 3 with my dns servers filtered from the results. I will try to post back
tomorrow to confirm, or deny your results from my system as I should get at
least one fragmented packet in that time frame.
"Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
news:MPG.1b53b5e376db18bd989698@news.west.cox.net...
> In article <GooGc.64082$OB3.21182@bgtnsc05-news.ops.worldnet.att.net>,
> replytonewsroup@server.com says...
>> "Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
>> news:MPG.1b539feb96d91055989697@news.west.cox.net...
>> > In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
>> > @yahoo.com says...
>> >> Hi,
>> >>
>> >> I often see people in here mention Kerio 2.1.5 as their software
>> >> firewall. Is this "old" build particular good or what's the reason for
>> >> choosing this over Kerio 4 (or another software firewall)?
>> >>
>> >> /Troels
>> >>
>> > Kerio 2.1.5 is excellent, however it does have one vulnerability that
>> > most people seem to either ignore or not know about. See this link:
>> >
>> >
http://www.mickeytheman.com/boardnation/Wc6b68755c9123.htm
>> >
>> > I can verify that this fragmented packet vulnerability exists in 2.1.5
>> > and earlier, and that someone could potentially get malicious packets
>> > past the firewall. It might not be that likely to happen, but it's
>> > possible..
>> >
>> > I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
>> > which doesn't have this vulnerability. Seems to work great. The only
>> > thing I miss in Kerio 4.x is the lack of logging of packets to unopened
>> > ports..
>> >
>> > --
>> > Kerodo
>
>> Well you consider it a vulnerablity, but has it been proven that its still
>> a
>> problem considering how old the alert is?
>>
>> I can't stand 4x, and I still run 2x.
>
> Yes, I've verified that it's still happening here in 2.1.5. I actually
> stumbled upon it by accident.
>
> Here's how you can see it if you're so inclined. In my area, the
> Messenger spammers are using this exploit to try to get thru firewalls
> that are vulnerable to it.
>
> I first noticed outbound ICMP type 3 packets that were going to
> addresses other than my DNS Servers. This is an indication that UPD
> packets are getting thru the firewall inbound somehow. This, in fact,
> is the result of the fragmented packet getting thru. What the spammers
> are doing is sending a fragmented packet and then another packet to port
> 1026 immediately after the fragmented packet. Kerio 2.x accepts the
> fragmented packet AND the packet immediately following it, ignoring all
> your rules.
>
> I installed Sygate 5.5 and could see the two packets coming in
> (fragmented and the packet following the fragmented one). Only Sygate
> was smart enough to block the 2nd packet, as it should and as Kerio
> should, but isn't.
>
> What you should do is enable logging in 2.1.5 of outbound ICMP type 3
> and see if you see any packets going out to addresses other than your
> ISP's DNS Servers. If you do, then it's happening on your machine also.
> It may not happen to some people if the spammers are not hitting your IP
> range. Some people insist that it's not happening to them.
>
> I don't know much about the technical details of this fragmented packet
> exploit, but I've seen it reported in some Linux related arena's also.
>
> I don't really love Kerio 4.x that much either, but I find I can use my
> Kerio 2.x rules in Kerio 4 and Kerio 4 is safer in that it's not
> vulnerable to this exploit. They have apparently fixed this problem in
> version 4.xx. Kerio 4 has some bugs still, and I wouldn't dream of
> trying any of the current beta's, but I'm using 4.0.16 here with fairly
> good results with my Kerio 2.x rule set. I much prefer Kerio 2.1.5
> also, but the vulnerability bothers me, so I use Kerio 4.
>
> To each his own I guess...
>
> --
> Kerodo