Bugtraq mailing list archives
Re: SyGate 3.11 Port 7323 / Remote Admin hole
From: brian () ASL CA (Brian Hampson)
Date: Mon, 31 Jan 2000 11:46:37 -0800
When we last heard from you, the following words rang out across the 'Net:
The Sygate gateway server is the computer that connects to the Internet and is running the Sygate software.
Sygate runs on Win95/98 and Windows NT 4.0 ( Service Pack 3 and higher). On NT Server 4.0 it installs and runs as an NT Service.
Sybergen does NOT document this utility.
Cute.
This "Remote Administration Engine" (RAE) is SUPPOSEDLY ACCESSIBLE ONLY FROM THE INTERNAL NETWORK, by initiating a Telnet session to port 7323 on the Sygate gateway. For security reasons, access to this utility from the Internet is SUPPOSED to be blocked.
However, I have been able to access the Sygate Remote Administration Engine from outside the Sygate gateway.
I have been able to initiate a Telnet session to port 7323 of a Sygate 3.11 gateway from machines on the Internet that were supposed to NOT be able to establish this kind of connection.
I have been able to duplicate this security hole on a number of machines running Windows NT Server 4.0 with Service Pack 4 and Sygate 3.11 builds 556 and 560. I have not tested this on Win95/98. Also, all these NT servers did NOT have the Sygate "Enhanced Security" feature enabled, nor were these NT servers running Secure Desktop (SyShield), a Sybergen firewall product.
Verified with NT Workstation and Sygate as well.
HOWEVER, this access via Telnet over the Internet is possible only ONCE per NT Server reboot. I do not know why this is so but after ending the initial Internet connection to port 7323 of the Sygate server, another Telnet session cannot connect to that port until the NT server is rebooted.
Verified as well. Odd but handy. I suppose another interim fix is to make sure you telnet from external as soon as your machine has booted :) B. -- Brian P. Hampson ASL Analytical Service Laboratories Ltd System Administrator, Vancouver, BC (604)253-4188 ----------------- http://www.ASL.CA/ ---------------------------- Speaking for myself, not ASL
Current thread:
- Re: SyGate 3.11 Port 7323 / Remote Admin hole Brian Hampson (Jan 31)
- <Possible follow-ups>
- Re: SyGate 3.11 Port 7323 / Remote Admin hole Russ (Feb 01)
- war-ftpd 1.6x DoS Toshimi Makino (Jan 31)
- Re: war-ftpd 1.6x DoS Jarle Aase (Feb 02)
- [xforce () iss net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications] Patrick Oonk (Feb 01)
- SV: SyGate 3.11 Port 7323 / Remote Admin hole Sani Huttunen (Feb 01)
- vulnerability in Linux Debian default boot configuration Pierre Beyssac (Feb 02)
- [Debian] New version of apcd released Aleph One (Feb 02)
- Webspeed security issue George (Feb 03)
- war-ftpd 1.6x DoS Toshimi Makino (Jan 31)