Bugtraq mailing list archives
FW: Undocumented back door
From: rhillery () TEC NH US (NHCTC)
Date: Thu, 27 Jan 2000 22:08:33 -0500
Quis custodiet custodes ? -----Original Message----- From: aleph1 () securityfocus com [mailto:aleph1 () securityfocus com] Sent: Thursday, 27 January, 2000 18:20 To: Robert Hillery Subject: Re: Undocumented back door Please send it to bugtraq () securityfocus com. Cheers. * Robert Hillery (rhillery () tec nh us) [000127 20:40]:
Elias, What follows is a copy of my submission to SANS GIAC re a curious open port I had at tcp 7323 on an NT server system w/ SyGate's 3.1 NAT
installed.
Greg Shipley suggested I send it to you at BugTraq, also. Bob Hillery, NHCTC Pease Cogito, ergo sum...cogito "FYI, I discussed a possible solution to one of Steve's examples at last week's SNAP DC conference. Specifically, he had an indication of a session directed to the unknown port of 7306 and was at the time unsure of its meaning. I had a similar problem -- and discovered the answer. I had just set up an NT server as a multi-homed system w/ NAT (SyGate 3.1 build 553) and did an internal port scan to verify the setup. I was surprised by an active listening port at 7323. I did a telnet from another computer in the net and got (sic): ""SyGate 3.11 for Windows 95/98/NT build 556 Welcome to engine remote controller! For security purpose, engine remote controller can be access only from
your
Local Area Network (LAN). ======== Function Key ========== P Stop Service D Display Engine Status N To Dial ( Dial-Up Networking only ) F To Hang Up( Dial-Up Networking only ) T Display All TCP Connection(s) U Display All UDP Connection(s) Ready to accept command. Press one function key, or 'H' for help."" WOW. I was told in my first email to Sybergen, who write SyGate, SyShield,
and
Sy Access, that although it is completely undocumented this was for "maintenance purposes only." My second email asked the what if -- any
other
access route? The answer was (ahem): ""From: Customer Support [ mailto:sgsupport@Sybergen <mailto:sgsupport@Sybergen> ] Sent: Monday, December 20, 1999 5:21 PM To: rhillery () tec nh us <mailto:rhillery () tec nh us> Subject: RE: sg Port 7323 is used for telnet session for SyGate within a LAN, if someone
did
use the RAS (on a SyGate client machine) and able to get the same TCP/IP setting as other LAN computers, then telneting the server is possible and that will post a security hole. Sincerely, Customer Support Sybergen Networks, Inc."" Last step was a live test. One of my students is also the SysAdmin of a local private High School's network. He telnetted in from our classroom, across at least 4 routers, including some public net, successfully got the SyGate remote control screen...and proceeded to shut his own system down. So much for remote maintenance...Many thanks to Chris R. for the test (and his colleague who immediately reset (and closed 7323) the system that
Friday
afternoon). I've seen on the SANS list of port uses (in the FAQ) that 7306 is associated w/ NetMonitor; a program designed for remote control of kiosks
&
ATMs. My suspicion is that 7306 and others may be the "maintenance" backdoors to this and other such programs. I suggest an occasional
internal
port scan to verify system port settings. Any program that makes
something
easy, well...makes things easy!"
-- Elias Levy Security Focus http://www.securityfocus.com/
Current thread:
- FW: Undocumented back door NHCTC (Jan 27)