cbcvebase.
CVE-2003-0220
published 2003-05-12

CVE-2003-0220: Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary…

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.59%
99.3th percentile
Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet.

Affected

5 ranges
VendorProductVersion rangeFixed in
keriopersonal_firewall_2
keriopersonal_firewall_2
keriopersonal_firewall_2
keriopersonal_firewall_2
keriopersonal_firewall_2

Detection & IOCsextracted from sources · hover to see the quote

port44334
port44334
port44334
bytes
\x81\xc4\x54\xf2\xff\xff
bytes
\x81\xc4\x54\xf2\xff\xff
bytes
00 00 14 9c
bytes
buf[0]=0; buf[1]=0; buf[2]=0x14; buf[3]=0xffffff9c
  • Detect exploit attempts by monitoring for TCP connections to port 44334 (Kerio Personal Firewall admin port) with oversized or malformed authentication handshake packets, particularly those with a negative or anomalously large 4-byte length field in the packet header (e.g., 0xffffff9c or 0x149c).
  • The exploit sends a buffer of ~5277 bytes to port 44334 after receiving the server banner (two recv calls), with NOP sled starting at offset 900 and shellcode embedded within. Alert on large first-send payloads to port 44334 after banner exchange.
  • The Metasploit module targets Windows 2000 Pro SP4 English (ret 0x7c2ec68b), Windows XP Pro SP0 English (ret 0x77e3171b), and Windows XP Pro SP1 English (ret 0x77dc5527). Presence of these return addresses in network traffic to port 44334 is a strong exploit indicator.
  • The stack pivot prepend stub \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) appears at the start of the payload encoder. Signature-match this byte sequence in TCP payloads destined for port 44334.
  • The older Perl Metasploit module uses AlphaNumText padding of 4268 bytes followed by shellcode and a near-JMP opcode \xe9\x0b\xfe\xff\xff. Detect this JMP-back stub in payloads to port 44334.
  • The PoC exploit embeds a download-and-execute URL (http://reversedhell.net/hackyou.exe) directly in the shellcode payload. Inspect payloads to port 44334 for embedded HTTP URLs pointing to executable files.
  • ·The vulnerability only affects Kerio Personal Firewall 2.1.4 and earlier; the admin port 44334 is the attack surface. Exploitation requires network access to this port, which may be restricted by the firewall's own rules.
  • ·The Metasploit module has only been tested against specific Windows targets (Win2000 SP4, WinXP SP0/SP1 English); return addresses are platform-specific and exploitation on other builds may fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.