Advisory 2006-07-15.01
Kerio Terminating 'kpf4ss.exe' using internal runtime error Vulnerability
Basic information:

Release date: July 15, 2006

Last update: July 17, 2006

Type: Coding bugs

Character: Complete system control

Status: Unpatched bugs

Risk: Critical bugs

Exploitability: Locally exploitable bugs

Discoverability: Medium discoverable bugs

Testing program: temporarily unavailable on a request of the product vendor
Description:

Kerio uses strange ring3 hooks that communicates the Kerio driver using an interupt. Windows API CreateRemoteThread is hooked by Kerio in user mode in every process. Calling this API can cause a crash of the Kerio service 'kpf4ss.exe'. The cause of this behaviour is unknown. The crash of the Kerio service equals to disabling the protection. The tray icon of Kerio is not functional any more after exploiting the bug, any aplication can perform arbitrary protected action including Internet access and process creation.
Vulnerable software:

    * Sunbelt Kerio Personal Firewall 4.3.246

Not vulnerable software:

    * Sunbelt Kerio Personal Firewall 4.2.3.912
    * probably all older versions

Events:

    * 2006-07-17: Received request from the product vendor to temporarily remove the exploit code
    * 2006-07-17: Vulnerability confirmed by popular information sources
    * 2006-07-15: Advisory released
    * 2006-07-15: Vendor notification