[ISN] Sygate Personal Firewall IP Spoofing Vulnerability

From: InfoSec News (isnat_private)
Date: Tue Sep 17 2002 - 23:51:16 PDT

  • Next message: InfoSec News: "[ISN] PDF Copy of National Cybersecurity Strategy Now Available"

    Contributed to HNS by Abraham Lincoln <sunninjaat_private>
    NSSI-Research Labs Security Advisory
    Sygate Personal Firewall 5.0 IP Spoofing Vulnerability
    Author: Abraham Lincoln Hao / SunNinja e-Mail: abrahamat_private 
    / SunNinjaat_private
    Advisory Code: NSSI-2002-sygatepfw5
    Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / 
    Win2K Professional
    Vendor Status: Vendor already accepted the vulnerability and they will 
    be releasing new version to Patch the vulnerability 
    Vendors website: http://www.sygate.Com
    Severity: High 
    Sygate Personal Firewall 5.0 is a host-based Firewall designed to 
    protect your PC against attacks from both the Internet, and other 
    computers in the local network.
    Sygate Personal Firewall 5.0 for windows platform contains IP Spoofing 
    vulnerability. These vulnerability could allow an attacker with a 
    source IP of to Attack the host protected by Sygate Personal 
    firewall without being detected. Sygate Personal firewall is having 
    problem detecting incoming traffic with source ip (loopback 
    Test diagram:
    [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps 
    switch===> [Host with SPF] 
     1] IP Spoofing Vulnerability Default Installation
    - SPF is vulnerable with IP Spoofing attack by Scanning the host with 
    a source ip address or network address The 
    Attacker could scan or attack the target host without being detected 
    by the personal firewall. This vulnerability is very serious w/c an 
    attacker could start a Denial of Service attack against the spf 
    protected host and launch any form of attack.
    - To those who wants to try to simulate the vulnerability, you may use 
    source address - ;) 
    1] Set the SPF to BLOCK ALL mode setting which i don't think the user 
    would do ;) This type of setting would block everything all incoming 
    request and outgoing.
    2] Block source address or network address 
    manually in Advance rules section. 
    Any Questions? Suggestions? or Comments? let us know. (Free your mind)
    e-mail: nssilabsat_private / abrahamat_private / 
    nssilabs team bring the heat! ;) Lawless the saint ;), dig0, b45h3r, 
    jethro, mr. d.f.a, p1x3lb0y, rj45-gu1t4rgawd and to our webmaster 
    raymund (R2/D2)
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 02:07:20 PDT