Re: SyGate 3.11 Port 7323 / Remote Admin hole

From: Brian Hampson (brianat_private)
Date: Mon Jan 31 2000 - 11:46:37 PST

Next message: Justin King: "Re: Disable Parent Paths"

Previous message: Jonah Kowall: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Maybe in reply to: jalertaat_private: "SyGate 3.11 Port 7323 / Remote Admin hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When we last heard from you, the following words rang out across the 'Net:

>The Sygate gateway server is the computer that connects
>to the Internet and is running the Sygate software.


>Sygate runs on Win95/98 and Windows NT 4.0 ( Service
>Pack 3 and higher). On NT Server 4.0 it installs and
>runs as an NT Service.

>Sybergen does NOT document this utility.

Cute.


>This "Remote Administration Engine" (RAE) is SUPPOSEDLY
>ACCESSIBLE ONLY FROM THE INTERNAL NETWORK, by
>initiating a Telnet session to port 7323 on the Sygate
>gateway. For security reasons, access to this utility
>from the Internet is SUPPOSED to be blocked.

>However, I have been able to access the Sygate Remote
>Administration Engine from outside the Sygate gateway.

>I have been able to initiate a Telnet session to port
>7323 of a Sygate 3.11 gateway from machines on the
>Internet that were supposed to NOT be able to establish
>this kind of connection.

>I have been able to duplicate this security hole on a
>number of machines running Windows NT Server 4.0 with
>Service Pack 4 and Sygate 3.11 builds 556 and 560. I
>have not tested this on Win95/98. Also, all these NT
>servers did NOT have the Sygate "Enhanced Security"
>feature enabled, nor were these NT servers running
>Secure Desktop (SyShield), a Sybergen firewall product.

Verified with NT Workstation and Sygate as well.

>HOWEVER, this access via Telnet over the Internet is
>possible only ONCE per NT Server reboot. I do not know
>why this is so but after ending the initial Internet
>connection to port 7323 of the Sygate server, another
>Telnet session cannot connect to that port until the NT
>server is rebooted.

Verified as well. Odd but handy.  I suppose another interim fix is to make
sure you telnet from external as soon as your machine has booted :)

B.
--

   Brian P. Hampson                  ASL Analytical Service Laboratories Ltd
   System Administrator,             Vancouver, BC (604)253-4188
     ----------------- http://www.ASL.CA/ ----------------------------

Speaking for myself, not ASL

Next message: Justin King: "Re: Disable Parent Paths"
Previous message: Jonah Kowall: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Maybe in reply to: jalertaat_private: "SyGate 3.11 Port 7323 / Remote Admin hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:36 PDT