[13623] in bugtraq
Re: SyGate 3.11 Port 7323 / Remote Admin hole
daemon@ATHENA.MIT.EDU (Brian Hampson)
Tue Feb 1 13:43:04 2000
Message-Id: <200001311949.LAA22025@asl.ca>
Date: Mon, 31 Jan 2000 11:46:37 -0800
Reply-To: Brian Hampson <brian@ASL.CA>
From: Brian Hampson <brian@ASL.CA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <0FP2003Q4IX22F@mta4.snfc21.pbi.net>
When we last heard from you, the following words rang out across the 'Net:
>The Sygate gateway server is the computer that connects
>to the Internet and is running the Sygate software.
>Sygate runs on Win95/98 and Windows NT 4.0 ( Service
>Pack 3 and higher). On NT Server 4.0 it installs and
>runs as an NT Service.
>Sybergen does NOT document this utility.
Cute.
>This "Remote Administration Engine" (RAE) is SUPPOSEDLY
>ACCESSIBLE ONLY FROM THE INTERNAL NETWORK, by
>initiating a Telnet session to port 7323 on the Sygate
>gateway. For security reasons, access to this utility
>from the Internet is SUPPOSED to be blocked.
>However, I have been able to access the Sygate Remote
>Administration Engine from outside the Sygate gateway.
>I have been able to initiate a Telnet session to port
>7323 of a Sygate 3.11 gateway from machines on the
>Internet that were supposed to NOT be able to establish
>this kind of connection.
>I have been able to duplicate this security hole on a
>number of machines running Windows NT Server 4.0 with
>Service Pack 4 and Sygate 3.11 builds 556 and 560. I
>have not tested this on Win95/98. Also, all these NT
>servers did NOT have the Sygate "Enhanced Security"
>feature enabled, nor were these NT servers running
>Secure Desktop (SyShield), a Sybergen firewall product.
Verified with NT Workstation and Sygate as well.
>HOWEVER, this access via Telnet over the Internet is
>possible only ONCE per NT Server reboot. I do not know
>why this is so but after ending the initial Internet
>connection to port 7323 of the Sygate server, another
>Telnet session cannot connect to that port until the NT
>server is rebooted.
Verified as well. Odd but handy. I suppose another interim fix is to make
sure you telnet from external as soon as your machine has booted :)
B.
--
Brian P. Hampson ASL Analytical Service Laboratories Ltd
System Administrator, Vancouver, BC (604)253-4188
----------------- http://www.ASL.CA/ ----------------------------
Speaking for myself, not ASL
