[13672] in bugtraq

home help back first fref pref prev next nref lref last post

SV: SyGate 3.11 Port 7323 / Remote Admin hole

daemon@ATHENA.MIT.EDU (Sani Huttunen)
Wed Feb 2 17:11:58 2000

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id:  <LPEHLEBCDCHHLLOPOLBOMECJCBAA.mape2413@ktv.koping.se>
Date:         Wed, 2 Feb 2000 06:24:04 +0100
Reply-To: ckret@usa.net
From: Sani Huttunen <mape2413@KTV.KOPING.SE>
X-To:         Securityfocus Bugtraq <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <A138A8DCF370D311AB0E00062970B5D108FF5F@ns.rc.on.ca>

>In talking with Sybergen, some other potential problems have come to light.

>Jeff Alerta talked about the fact he was able to connect to the Sygate
>Management Console (port 7323) from outside of the internal network,
>something which was not supposed to be possible.

>The installation process for Sygate uses inverse DNS queries
(gethostbyaddr)
>to determine which interface is the "trusted" network, and which is to the
>"internet". It sends out a lookup request and whichever NIC in the Sygate
>box returns the response is deemed to be the "internet". Ergo, the other
NIC
>is the "trusted" network.

>If you don't host your own DNS server, this method probably returns the
>desired results. If you do host your own DNS server, then the response is
>quite possibly going to come from your internal NIC. The result will be
that
>your internal network will be deemed the "internet", and the internet
deemed
>your "trusted" network...;-[

I've testes this on version 2.0 of Sygate and the security hole is there
too.
In version 2.0 you have to specify the "internet" NIC so there are no DNS
queries to determine the "trusted" network.

All tests are done without a "local" DNS server.

>Given that the product is targeted at home office users, they could
probably
>argue that most of their customer's installations are done correctly.
>Infosec folks who might be evaluating the product are likely to find
>different results in a test environment where an existing network
connection
>to the internet could fool the Sygate box as described above.

>Of course once its made this determination it is possible to change it
>(kinda scary in and of itself), although its not terribly easy to do so.
Its
>also not obvious to a new user that you might have to do this, although
once
>you start setting up restrictions/permissions you'll likely quickly notice
>that none of your internal users are able to get to much. I believe,
>however, that it would be possible for you to completely configure this
>thing to permit your internal users to do what you thought they should,
>despite leaving the internet as the "trusted" network.

>As far as I can tell, only this Remote Management service is exposed if
>Sygate is misconfigured as above (of course why would you need anything
>else...;-]).

You really cannot misconfigure version 2.0 so misconfiguration is NOT the
problem.

>As Jeff noted, if the "Enhanced Security" option is enabled, then the
Remote
>Management service relies on access from 127.0.0.1 to determine if you can
>do anything with the listening port. With this option disabled, access is
>still restricted to packets received over the "trusted" NIC (so if
>misconfigured, access is granted to anyone on the Internet and denied to
>your local network).

>As far as this one-time per reboot issue, apparently build 560 would allow
a
>single connection to the Remote Management program and then, upon that
>client exiting, it would shut down the service (the management service, not
>the gateway). Build 562 apparently corrects this (presumably not shutting
>down after client termination).

Sani

home help back first fref pref prev next nref lref last post