Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: sygate1.htm

SyGate 3.11 remote administration engine



Vulnerability

    SyGate

Affected

    SyGate 3.11

Description

    Jeff  Alerta  found  following.   Sygate  3.11  by Sybergen, is an
    Internet Access Sharing program.  Sygate enables users to  connect
    multiple  computers  to  the  Internet  over  a  single connection
    (dial-up,  ISDN,  DSL,  Cable  Modem,  etc.).   The Sygate gateway
    server  is  the  computer  that  connects  to  the Internet and is
    running the Sygate software.

    Sygate  uses  a  built-in  DHCP  server  to assign IP addresses to
    computers  running  behind  the  Sygate  gateway  and NAT to allow
    access  by  these  computers  to  the  Internet.   Sygate  runs on
    Win95/98 and Windows NT 4.0 (  Service Pack 3 and higher).   On NT
    Server 4.0 it installs and runs as an NT Service.

    Included with  Sygate 3.11  (and possibly  earlier versions)  is a
    "Remote  Administration  Engine"  (REA)  which  is  a utility that
    allows users to remotely  administer Sygate processes and  monitor
    Sygate activity,  such as  traffic from  the Internet  to machines
    behind the Sygate gateway and vice versa.

    Sybergen does NOT document this utility.

    An example of the information that is provided by this utility  is
    the IP address  and port of  a computer being  accessed behind the
    Sygate  gateway  and  the  IP  address  and  port  of the computer
    accessing it from outside the Sygate gateway.  It allows the  user
    to monitor TCP and UDP processes going through the Sygate  gateway
    and to shut down  the Sygate gateway process,  thereby terminating
    all access to the Internet.

    This   "Remote   Administration   Engine"   (RAE)   is  SUPPOSEDLY
    ACCESSIBLE ONLY FROM THE INTERNAL NETWORK, by initiating a  Telnet
    session to port 7323 on the Sygate gateway. For security  reasons,
    access  to  this  utility  from  the  Internet  is  SUPPOSED to be
    blocked.

    However, Jeff was able to access the Sygate Remote  Administration
    Engine  from  outside  the  Sygate  gateway.   He has been able to
    initiate a Telnet  session to port  7323 of a  Sygate 3.11 gateway
    from machines on  the Internet that  were supposed to  NOT be able
    to establish this kind of connection.

    Jeff  duplicated  this  security  hole  on  a  number  of machines
    running Windows NT Server 4.0 with Service Pack 4 and Sygate  3.11
    builds 556 and 560  (not tested on Win95/98).  Also, all these  NT
    servers  did  NOT  have  the  Sygate  "Enhanced  Security" feature
    enabled,  nor  were  these  NT  servers  running  Secure   Desktop
    (SyShield), a Sybergen firewall product.

    Another problem  that compounds  the issue  is that  since the RAE
    was designed to be accessable only from behind the Sygate  gateway
    these is no user  authentication whatsoever when accessing  it. No
    username or password is requested. You are given direct access  to
    the utility when  a connection over  the Internet is  established.
    HOWEVER,  this  access  via  Telnet  over the Internet is possible
    only ONCE per NT  Server reboot.  Dunno  why this is so  but after
    ending the initial Internet connection to port 7323 of the  Sygate
    server, another Telnet session  cannot connect to that  port until
    the NT  server is  rebooted.   Just stopping  and re-starting  the
    Sygate service  will not  allow any  further Internet connections.
    The NT server must be  re-booted before another Telnet session  to
    port 7323 over the Internet will work.

    Once a Telnet connection has been established to port 7323, it  is
    possible to monitor all  TCP and UDP traffic  going in and out  of
    the Sygate gateway. It is  possible to draw a detailed  diagram of
    the network behind  the Sygate gateway  based on IP  addresses and
    ports in use.  It is also possible to shutdown the Sygate  Service
    disconnecting   all   Internet   connections.   If   the    system
    administrators  of  that  network  are  unaware of this ability to
    remotely shut  down the  Sygate service  (and it  is very possible
    that they are  NOT aware of  it; my discovery  of the RAE  utility
    was accidental and Sybergen does  not document the utility.   They
    only mention it in passing  in their Sygate FAQ) this  could drive
    the  SysAdmins  nuts  trying  to  figure  out  what is causing the
    Sygate server to shutdown.

    This  exploit  only  works  if  Sybergen Secure Desktop (SyShield)
    build 177,  a firewall  product that  is designed  to protect  the
    SyGate 3.11 gateway  computer, is NOT  installed or if  the Sygate
    "Enhanced Security"  mode is  NOT enabled.   So installing  Secure
    Desktop  (SyShield)  on  the  Sygate  3.11  server OR enabling the
    Sygate 3.11 "Enhanced Security" mode will block this exploit.

    Jeff Alerta talked about  the fact he was  able to connect to  the
    Sygate  Management  Console  (port  7323)  from  outside  of   the
    internal network, something which was not supposed to be possible.
    The  installation  process  for  Sygate  uses  inverse DNS queries
    (gethostbyaddr)  to  determine  which  interface  is the "trusted"
    network, and which is  to the "internet".   It sends out a  lookup
    request and whichever NIC in  the Sygate box returns the  response
    is  deemed  to  be  the  "internet".   Ergo,  the other NIC is the
    "trusted" network.

    If  you  don't  host  your  own  DNS  server, this method probably
    returns the desired results.  If you do host your own DNS  server,
    then  the  response  is  quite  possibly  going  to come from your
    internal NIC.  The result will be that your internal network  will
    be deemed the "internet",  and the internet deemed  your "trusted"
    network...  This was tested on  version 2.0 of Sygate too and  the
    security hole is there  too.  In version  2.0 you have to  specify
    the "internet" NIC  so there are  no DNS queries  to determine the
    "trusted"  network.   All  tests  are  done  without a "local" DNS
    server.

    Given that  the product  is targeted  at home  office users,  they
    could probably argue that  most of their customer's  installations
    are done  correctly.   Infosec folks  who might  be evaluating the
    product are likely to find different results in a test environment
    where an existing  network connection to  the internet could  fool
    the Sygate box as described above.

Solution

    Sybergen has released  the new beta  builds of their  SyGate 3.11,
    Secure Destop and  Secure Access products  that fix the  Port 7323
    Telnet Hole.  According to  them they have closed Internet  access
    to the  remote admin  utility at  port 7323.  They have also added
    support for Windows Millenium and Dual-CPU NT servers.

    These  builds  now  work  together  so  upgrading your Sygate 3.11
    server will require that  you upgrade Secure Access  (SyShield) to
    the new version.  Here are the links:

      SyGate 3.11 Build 563
        http://www.sygate.com/SG563.exe

      Sybergen Access Server Build 558
        http://www.sygate.com/SA558.exe

      Sybergen Secure Desktop Build 182
        http://www.sygate.com/SD182.exe


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH