Home page logo

bugtraq logo Bugtraq mailing list archives

[CAN-2004-1023] Insecure default file system permissions on Microsoft versions of Kerio Software
From: Secure Computer Group <scg () udc es>
Date: Tue, 14 Dec 2004 11:08:25 +0100


           Secure Computer Group - University of A Coruna

                              -- x --

          dotpi.com Information Technologies Research Labs


ID:                        #20041214-2
Document title:            Insecure default file system permissions on
Microsoft versions of Kerio Software
Document revision:         1.0

Coordinated release date:  2004/12/14
Vendor Acknowledge date:   2004/11/10
Reported date:             2004/11/08

CVE Name:                  CAN-2004-1023

Other references:          N/A


  Impact:                  Privilege escalation
                           System sofware tampering
                           Trojan injection
                           Second-stage attack vector
                           Alter configuration files

  Rating/Severity:         Low
  Recommendation:          Update to latest version
                           Enforce file system ACLs

  Vendor:                  Kerio Technologies Inc.

  Affected software:       Kerio WinRoute Firewall (all versions)
                           Kerio ServerFirewall (all versions)
                           Kerio MailServer (all windows versions)

  Updates/Patches:         Yes (see below)

General Information:

  1. Executive summary:

     As a result of its collaboration relationship the Secure Computer
     Group (SCG) along with dotpi.com Research Labs have determined
     the following security issue on some Kerio Software.

     Kerio WinRoute Firewall, Kerio ServerFirewall and Kerio MailServer
     are installed by default under 'Program Files' system folder. No
     change is done to the ACLs after the installation process.

     As a result, anyone belonging to the 'Power Users' system group
     would be able to modify binary files of services running as
     LOCALSYSTEM, drop malicious DLLs the plug-ins folder or perform
     any change on the XML files where the service settings are

     System administrators should enforce ACL security settings in
     order solve this problem. It is also highly recommended to
     verify this settings as part of the planning, installation,
     hardening and auditing processes.

     New versions of the software solve this an other minor problems
     so it is upgrade its highly recommended.

  2. Technical details:

     Following the latest trends and approaches to responsible
     disclosure, SCG and dotpi.com are going to withhold details of
     this flaw for three months.

     Full details will be published on 2005/03/14. This three month
     window will allow system administrators the time needed to
     obtain the patch before the details are released to the general

  3. Risk Assessment factors:

     The attacker would need local interactive access to the
     installation directory. Remote access is also possible but
     default system settings do not make this easy.

     The most risky scenarios are the ones in which the server machine
     is shared among two or more users or those situations where Kerio
     service management have been delegated to a third party any other
     than local or domain system administrator.

     Special care should be taken on such environments and every step
     of the project: design, planning, deployment and management
     should consider this security issues.

     Privilege escalation, system and software tampering and the
     ability to alter service configuration are all real issues and
     all of them can be used as a second stage attack vector.

  4. Solutions and recommendations:

     Enforce the file system ACLs and/or upgrade to the latest

        o Kerio Winroute Firewall 6.0.9
        o Kerio ServerFirewall 1.0.1

        o Kerio MailServer 6.0.5

     As in any other case, follow, as much as possible, the Industry
     'Best Practices' on Planning, Deployment and Operation on this
     kind of services.

  5. Common Vulnerabilities and Exposures (CVE) project:

     The Common Vulnerabilities and Exposures (CVE) project has
     assigned the name CAN-2004-1023 to this issue. This is a
     candidate for inclusion in the CVE list (http://cve.mitre.org),
     which standardizes names for security problems.



  1. Special thanks to Vladimir Toncar and Pavel Dobry and the whole
     Technical Team from Kerio Technologies (support at kerio.com)
     for their quick response and professional handling on this issue.

  3. The whole Research Lab at dotpi.com and specially to Carlos Veira
     for his leadership and support.

  3. Secure Computer Group at University of A Coruna (scg at udc.es),
     and specially to Antonino Santos del Riego powering new research
     paths at University of a Coruna.



  Javier Munoz (Secure Computer Group) is credited with this discovery.


Related Links:

  [1] Kerio Technologies Inc.

  [2] Kerio WinRoute Firewall Downloads & Updates

  [3] Kerio ServerFirewall Downloads & Updates

  [4] Kerio MailServer Downloads & Updates

  [5] Secure Computer Group. University of A Coruna

  [6] Secure Computer Group. Updated advisory

  [7] dotpi.com Information Technologies S.L.

  [8] dotpi.com Research Labs


Legal notice:

  Copyright (c) 2002-2004 Secure Computer Group. University of A Coruna
  Copyright (c) 2004 dotpi.com Information Technologies S.L.

  Permission is granted for the redistribution of this alert
  electronically. It may not be edited in any way without the express
  written consent of the authors.

  If you wish to reprint the whole or any part of this alert in any
  other medium other than electronically, please contact the authors
  for explicit written permission at the following e-mail addresses:
  (scg at udc.es) and (info at dotpi.com).

  Disclaimer: The information in the advisory is believed to be
  accurate at the time of publishing based on currently available
  information. Use of the information constitutes acceptance for use
  in an AS IS condition.

  There are no warranties with regard to this information. Neither the
  author nor the publisher accepts any liability for any direct,
  indirect, or consequential loss or damage arising from use of, or
  reliance on, this information.

  By Date           By Thread  

Current thread:
  • [CAN-2004-1023] Insecure default file system permissions on Microsoft versions of Kerio Software Secure Computer Group (Dec 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]