We have contacted the vendor again regarding this issue. We have just discovered another XSS 0-day vulnerability which can again be used to obtain a reverse root shell on the most current Kerio Control system (version 9.1.3 build 1408). Kerio’s response to this reported vulnerability (and to the vulnerability that the webserver is running with root privileges) was: “I do not consider this a vulnerability”. However, this attack has the pre-condition that the attacked victim is currently logged in as administrator (or that we can obtain administrator credentials via the brute-force attack). To demonstrate that the issue still exists we searched for two other XSS vulnerabilities to turn the XSS vulnerabilities again to a remotely exploitable reverse root shell.
#KERIO CONNECT AND APACHE FULL#
The full exploit is publicly available on exploit-db ( ), only the used XSS (cross site scripting) vulnerability was fixed. The second attack vector doesn’t use a memory corruption vulnerability, instead we use a publicly known vulnerability in Kerio Control which has not been fixed in the past 12 months (reported by Raschin Tavakoli, now employee at SEC Consult).
Moreover, one additional script can be used to defeat ASLR which leaks heap and stack pointers.
#KERIO CONNECT AND APACHE CODE#
These two scripts contain multiple vulnerabilities which attackers need for establishing reverse root shells into company networks: Remote code execution with root privileges, CSRF check bypasses (makes it exploitable from the Internet), XSS (could be used to defeat SOP), vulnerable code exploitable for heap spraying (to defeat ASLR). The first attack vector heavily abuses two PHP scripts, both scripts are not referenced by any other file in Kerio Control and contain two different(!) seemingly deliberate(?) CSRF check bypasses. It is a very good example why also internal systems should be secured by strong credentials and seemingly minor security issues have to be fixed. This is achieved via a side channel and a normally minor information leak vulnerability. It’s also important to note that it’s possible to brute-force the internal Kerio Control credentials via the below described method, even if the system is not accessible from the Internet. The exploit is delivered blind (the website can’t read responses from requests sent to the internal network because of SOP restrictions – same-origin-policy). For demonstration, we picked one such memory corruption bug and wrote an exploit for it. Multiple critical security vulnerabilities have been identified by René Freingruber and Raschin Tavakoli of SEC Consult, which are documented in our technical security advisory.įor instance, Kerio Control uses a 6-year-old PHP binary which contains a countless number of memory corruption vulnerabilities.
Kerio Control implements weak protections against these types of attacks which can be bypassed easily.
Because of this not a single port must be open from the Internet on Kerio Control. The website includes malicious content (images, forms, JavaScript) which instruct the victim’s browser to send all requests from the internal network directly to Kerio Control. The attacker doesn’t directly attack the firewall system, instead a victim is tricked to visit his website.
0 kommentar(er)
