CVE-2003-0220
published 2003-05-12CVE-2003-0220: Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.59%
99.3th percentile
Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kerio | personal_firewall_2 | — | — |
| kerio | personal_firewall_2 | — | — |
| kerio | personal_firewall_2 | — | — |
| kerio | personal_firewall_2 | — | — |
| kerio | personal_firewall_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff
bytes↗
\x81\xc4\x54\xf2\xff\xff
bytes↗
00 00 14 9c
bytes↗
buf[0]=0; buf[1]=0; buf[2]=0x14; buf[3]=0xffffff9c
- →Detect exploit attempts by monitoring for TCP connections to port 44334 (Kerio Personal Firewall admin port) with oversized or malformed authentication handshake packets, particularly those with a negative or anomalously large 4-byte length field in the packet header (e.g., 0xffffff9c or 0x149c). ↗
- →The exploit sends a buffer of ~5277 bytes to port 44334 after receiving the server banner (two recv calls), with NOP sled starting at offset 900 and shellcode embedded within. Alert on large first-send payloads to port 44334 after banner exchange. ↗
- →The Metasploit module targets Windows 2000 Pro SP4 English (ret 0x7c2ec68b), Windows XP Pro SP0 English (ret 0x77e3171b), and Windows XP Pro SP1 English (ret 0x77dc5527). Presence of these return addresses in network traffic to port 44334 is a strong exploit indicator. ↗
- →The stack pivot prepend stub \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) appears at the start of the payload encoder. Signature-match this byte sequence in TCP payloads destined for port 44334. ↗
- →The older Perl Metasploit module uses AlphaNumText padding of 4268 bytes followed by shellcode and a near-JMP opcode \xe9\x0b\xfe\xff\xff. Detect this JMP-back stub in payloads to port 44334. ↗
- →The PoC exploit embeds a download-and-execute URL (http://reversedhell.net/hackyou.exe) directly in the shellcode payload. Inspect payloads to port 44334 for embedded HTTP URLs pointing to executable files. ↗
- ·The vulnerability only affects Kerio Personal Firewall 2.1.4 and earlier; the admin port 44334 is the attack surface. Exploitation requires network access to this port, which may be restricted by the firewall's own rules. ↗
- ·The Metasploit module has only been tested against specific Windows targets (Win2000 SP4, WinXP SP0/SP1 English); return addresses are platform-specific and exploitation on other builds may fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Kerio Personal Firewall 2.1.4 - Authentication Packet Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2003-0220 Kerio Personal Firewall 2.1.4 - Authentication Packet Overflow (Metasploit)
Kerio Personal Firewall 2.1.4 - Authentication Packet Overflow (Metasploit)
---
##
# $Id: kerio_auth.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Kerio Firewall 2.1.4 Authentication Packet Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Kerio Personal Firewall
administration authentication process. This module has only been tested
against Kerio Personal Firewall 2 (2.1.4).
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9525 $',
'References' =>
[
Exploit-DB
Kerio Personal Firewall 2.1.4 - Remote Authentication Packet Overflow (Metasploit)
exploitdb·2006-02-28
CVE-2003-0220 Kerio Personal Firewall 2.1.4 - Remote Authentication Packet Overflow (Metasploit)
Kerio Personal Firewall 2.1.4 - Remote Authentication Packet Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::kerio_auth;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Kerio Personal Firewall 2 (2.1.4) Remote Authentication Packet Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winx
Exploit-DB
Kerio Personal Firewall 2.1.4 - Remote Code Execution
exploitdb·2003-05-08
CVE-2003-0220 Kerio Personal Firewall 2.1.4 - Remote Code Execution
Kerio Personal Firewall 2.1.4 - Remote Code Execution
---
/*
* Kerio Personal Firewall v2.1.4 remote code execution exploit
* Tested on Windows XP with SP1
*
* In order to exploit, for ease of mind, set the firewall to permit all traffic, or allow
* a connection to port 44334 from your testing unix shell ip.
*
* It is also possible to use UDP instead of TCP
*
* It works out very well, if not, hit a few times with a ret addr of 0x41414141 to make it crash
* AT THAT addr. Then use the original one, it will work. The one I used points to a 'call esp'
* inside the RPCRT4.DLL.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 44334 // the port client will be connecting to, default Kerio admin port
#define retpos 5272
#define MAXDATASIZE 5277 //
Exploit-DB
Kerio Personal Firewall 2.1.x - Remote Authentication Packet Buffer Overflow (2)
exploitdb·2003-04-30
CVE-2003-0220 Kerio Personal Firewall 2.1.x - Remote Authentication Packet Buffer Overflow (2)
Kerio Personal Firewall 2.1.x - Remote Authentication Packet Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/7180/info
A buffer-overflow vulnerability has been discovered in Kerio Personal Firewall. The problem occurs during the administration authentication process. An attacker could exploit this vulnerability by forging a malicious packet containing an excessive data size. The application then reads this data into a static memory buffer without first performing sufficient bounds checking.
Successful exploits of this vulnerability may allow an attacker to execute arbitrary commands on a target system, with the privileges of the firewall.
Note that this vulnerability affects Kerio Personal Firewall 2.1.4 and earlier.
/*********************************************
Exploit-DB
Kerio Personal Firewall 2.1.x - Remote Authentication Packet Buffer Overflow (1)
exploitdb·2003-04-28
CVE-2003-0220 Kerio Personal Firewall 2.1.x - Remote Authentication Packet Buffer Overflow (1)
Kerio Personal Firewall 2.1.x - Remote Authentication Packet Buffer Overflow (1)
---
source: https://www.securityfocus.com/bid/7180/info
A buffer-overflow vulnerability has been discovered in Kerio Personal Firewall. The problem occurs during the administration authentication process. An attacker could exploit this vulnerability by forging a malicious packet containing an excessive data size. The application then reads this data into a static memory buffer without first performing sufficient bounds checking.
Successful exploits of this vulnerability may allow an attacker to execute arbitrary commands on a target system, with the privileges of the firewall.
Note that this vulnerability affects Kerio Personal Firewall 2.1.4 and earlier.
import os
import socket
import struct
import stri
Metasploit
Kerio Firewall 2.1.4 Authentication Packet Overflow
metasploit
Kerio Firewall 2.1.4 Authentication Packet Overflow
Kerio Firewall 2.1.4 Authentication Packet Overflow
This module exploits a stack buffer overflow in Kerio Personal Firewall administration authentication process. This module has only been tested against Kerio Personal Firewall 2 (2.1.4).
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=105155734411836&w=2http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10http://www.kb.cert.org/vuls/id/454716http://www.securityfocus.com/bid/7180http://marc.info/?l=bugtraq&m=105155734411836&w=2http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10http://www.kb.cert.org/vuls/id/454716http://www.securityfocus.com/bid/7180
2003-05-12
Published