1-Click RCE Attack In Kerio Control UTM Allow Attackers Gain Firewall Root Access Remotely

GFI Software’s Kerio Control, a popular UTM solution, was found to be vulnerable to multiple HTTP Response Splitting vulnerabilities, which affecting versions 9.2.5 through 9.4.5, could potentially allow attackers to inject malicious code into web pages, leading to cross-site scripting (XSS) attacks and other security compromises. 

The vulnerabilities, tracked as CVE-2024-52875 and KIS-2024-07, highlight the importance of keeping software up-to-date and applying security patches promptly.

The vulnerable Kerio Control pages `/nonauth/addCertException.cs`, `/nonauth/guestConfirm.cs`, and `/nonauth/expiration.cs` fail to properly sanitize user-supplied `dest` GET parameters before constructing `Location` HTTP headers, which allows attackers to inject malicious URLs containing newline characters, leading to HTTP Response Splitting attacks. 

By exploiting this vulnerability in conjunction with a known nine-year-old exploit, attackers can potentially execute arbitrary code on the affected system, bypassing user interaction and escalating the risk to a high severity level.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The root cause of the CRLF Injection vulnerability lies in the improper handling of the “dest” GET parameter.

When a malicious user submits a crafted request with a specially formatted “dest” value containing CRLF sequences, the server fails to sanitize or properly encode the input. 

It allows the attacker to inject malicious HTTP headers into the response, potentially leading to session hijacking, cross-site scripting (XSS), or other security breaches.

Karmain Security identified the presence of the string “µë-” in the server response, suggesting Base64 encoded URLs might be expected and tested this by encoding a random URL (“[http://attacker.website](http://attacker.website)”) in Base64 and used it as the value for the “dest” parameter in the GET request. 

The server responded with a 302 Found status code and a Location header containing the decoded URL, confirming the suspicion, which indicates a vulnerability where the server expects Base64 encoded URLs for redirection.

A researcher successfully exploited a vulnerability in Kerio Control.

By injecting CRLF sequences into the payload, they were able to bypass input validation and manipulate HTTP responses, which allowed for the injection of arbitrary HTTP headers, potentially leading to HTTP Response Splitting attacks. 

The vulnerability stems from the lack of proper filtering or removal of CRLF sequences, enabling attackers to craft malicious responses and potentially compromise the security of the affected system.

An HTTP Response Splitting vulnerability in Kerio Control that allows for Reflected XSS attacks.

By crafting a special payload and leveraging browser behavior, the researcher was able to inject arbitrary data into the HTTP response body, which bypasses limitations set by the /admin/ path for cookies by using an iframe to steal the CSRF token and perform actions on the victim’s behalf. 

A 9-year-old remote code execution (RCE) exploit through the upgrade functionality was identified and combined with the XSS attack for a complete compromise of the Kerio Control instance. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free