<color><param>0100,0100,0100</param><FontFamily><param>Courier New</param><smaller>Sybergen SyGate 3.11 Security Hole /Exploit DESCRIPTION: Sygate 3.11 by Sybergen, http://www.sybergen.com, is an Internet Access Sharing program. Sygate enables users to connect multiple computers to the Internet over a single connection (dial-up, ISDN, DSL, Cable Modem, etc.). The Sygate gateway server is the computer that connects to the Internet and is running the Sygate software. Sygate uses a built-in DHCP server to assign IP addresses to computers running behind the Sygate gateway and NAT to allow access by these computers to the Internet. Sygate runs on Win95/98 and Windows NT 4.0 ( Service Pack 3 and higher). On NT Server 4.0 it installs and runs as an NT Service. Included with Sygate 3.11 (and possibly earlier versions) is a "Remote Administration Engine" (REA) which is a utility that allows users to remotely administer Sygate processes and monitor Sygate activity, such as traffic from the Internet to machines behind the Sygate gateway and vice versa. Sybergen does NOT document this utility. An example of the information that is provided by this utility is the IP address and port of a computer being accessed behind the Sygate gateway and the IP address and port of the computer accessing it from outside the Sygate gateway. It allows the user to monitor TCP and UDP processes going through the Sygate gateway and to shut down the Sygate gateway process, thereby terminating all access to the Internet. This "Remote Administration Engine" (RAE) is SUPPOSEDLY ACCESSIBLE ONLY FROM THE INTERNAL NETWORK, by initiating a Telnet session to port 7323 on the Sygate gateway. For security reasons, access to this utility from the Internet is SUPPOSED to be blocked. However, I have been able to access the Sygate Remote Administration Engine from outside the Sygate gateway. I have been able to initiate a Telnet session to port 7323 of a Sygate 3.11 gateway from machines on the Internet that were supposed to NOT be able to establish this kind of connection. I have been able to duplicate this security hole on a number of machines running Windows NT Server 4.0 with Service Pack 4 and Sygate 3.11 builds 556 and 560. I have not tested this on Win95/98. Also, all these NT servers did NOT have the Sygate "Enhanced Security" feature enabled, nor were these NT servers running Secure Desktop (SyShield), a Sybergen firewall product. Another problem that compounds the issue is that since the RAE was designed to be accessable only from behind the Sygate gateway these is no user authentication whatsoever when accessing it. No username or password is requested. You are given direct access to the utility when a connection over the Internet is established. HOWEVER, this access via Telnet over the Internet is possible only ONCE per NT Server reboot. I do not know why this is so but after ending the initial Internet connection to port 7323 of the Sygate server, another Telnet session cannot connect to that port until the NT server is rebooted. Just stopping and re-starting the Sygate service will not allow any further Internet connections. The NT server must be re-booted before another Telnet session to port 7323 over the Internet will work. Once a Telnet connection has been established to port 7323, it is possible to monitor all TCP and UDP traffic going in and out of the Sygate gateway. It is possible to draw a detailed diagram of the network behind the Sygate gateway based on IP addresses and ports in use. It is also possible to shutdown the Sygate Service disconnecting all Internet connections. If the system administrators of that network are unaware of this ability to remotely shut down the Sygate service (and it is very possible that they are NOT aware of it; my discovery of the RAE utility was accidental and Sybergen does not document the utility. They only mention it in passing in their Sygate FAQ) this could drive the SysAdmins nuts trying to figure out what is causing the Sygate server to shutdown. I informed Sybergen tech support about this security hole / exploit on Jan. 6, 2000 and they have a new Sygate build that supposedly patches the hole. FIXES: This exploit only works if Sybergen Secure Desktop (SyShield) build 177, a firewall product that is designed to protect the SyGate 3.11 gateway computer, is NOT installed or if the Sygate "Enhanced Security" mode is NOT enabled. So installing Secure Desktop (SyShield) on the Sygate 3.11 server OR enabling the Sygate 3.11 "Enhanced Security" mode will block this exploit. To fix Sygate itself, you may need to request the new Sygate build from Sybergen tech support, as they have not yet officially posted it to their public web site. However, I was given a link to the latest build and you can try downloading that until something more official comes along (or until they remove the link to this file). URL: { HYPERLINK http://www.sygate.com/SyGate562.exe <FontFamily><param>Times New Roman</param>}<underline><color><param>0000,0000,FF00</param>http://www.sygate.com/SyGate562.exe><color><param>0100,0100,0100</param><FontFamily><param>Courier New</param> (the filename is case- sensitive) VERY IMPORTANT NOTE, this new Sygate 562 build breaks the Sybergen Secure Desktop (SyShield) build 177, which is is designed to work with the SyGate 3.11 build 560. Sybergen is working on a new Secure Desktop build that will work with the Sygate build 562. Contact Sybergen, http://www.sybergen.com, for more details on their new builds. jeff alerta { HYPERLINK mailto:jeffat_private <FontFamily><param>Times New Roman</param>}<underline><color><param>0000,0000,FF00</param>jeffat_private</underline><color><param>0100,0100,0100</param><FontFamily><param>Courier New</param> <nofill>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:17 PDT