FW: Undocumented back door

[rhillery () TEC NH US (NHCTC)]

Quis custodiet custodes ?

-----Original Message-----
From: aleph1 () securityfocus com [mailto:aleph1 () securityfocus com]
Sent: Thursday, 27 January, 2000 18:20
To: Robert Hillery
Subject: Re: Undocumented back door

Please send it to bugtraq () securityfocus com. Cheers.

* Robert Hillery (rhillery () tec nh us) [000127 20:40]:
> Elias,
>   What follows is a copy of my submission to SANS GIAC re a curious open
> port I had at tcp 7323 on an NT server system w/ SyGate's 3.1 NAT
installed.
>   Greg Shipley suggested I send it to you at BugTraq, also.
>
> Bob Hillery,
> NHCTC Pease
> Cogito, ergo sum...cogito
>
> "FYI, I discussed a possible solution to one of Steve's examples at last
> week's SNAP DC conference.  Specifically, he had an indication of a
> session directed to the unknown port of 7306 and was at the time unsure of
> its meaning.
>   I had a similar problem -- and discovered the answer.  I had just set up
> an NT server as a multi-homed system w/ NAT (SyGate 3.1 build 553)
>
> and did an internal port scan to verify the setup.  I was surprised by an
> active listening port at 7323.
>   I did a telnet from another computer in the net and got (sic):
>
> ""SyGate 3.11 for Windows 95/98/NT build 556
>
> Welcome to engine remote controller!
>
> For security purpose, engine remote controller can be access only from
your
> Local Area Network (LAN).
>
>
> ======== Function Key ==========
>
> P            Stop Service
>
> D            Display Engine Status
>
> N            To Dial ( Dial-Up Networking only )
>
> F            To Hang Up( Dial-Up Networking only )
>
> T            Display All TCP Connection(s)
>
> U            Display All UDP Connection(s)
>
>
>
> Ready to accept command. Press one function key, or 'H' for help.""
>
>  WOW.
>   I was told in my first email to Sybergen, who write SyGate, SyShield,
and
> Sy Access, that although it is completely undocumented this was for
> "maintenance purposes  only." My second email asked the what if -- any
other
> access route?  The answer was (ahem):
>
> ""From: Customer Support [ mailto:sgsupport@Sybergen
>
> <mailto:sgsupport@Sybergen> ]
>
> Sent: Monday, December 20, 1999 5:21 PM
>
> To: rhillery () tec nh us <mailto:rhillery () tec nh us>
>
> Subject: RE: sg
>
> Port 7323 is used for telnet session for SyGate within a LAN, if someone
did
> use the RAS (on a SyGate client machine) and able to get the same TCP/IP
> setting as other LAN computers, then telneting the server is possible and
> that will post a security hole.
>
> Sincerely,
> Customer Support
> Sybergen Networks, Inc.""
>
>   Last step was a live test.  One of my students is also the SysAdmin of a
> local private High School's network.  He telnetted in from our classroom,
> across at least 4 routers, including some public net, successfully got the
> SyGate remote control screen...and proceeded to shut his own system down.
> So much for remote maintenance...Many thanks to Chris R. for the test (and
> his colleague who immediately reset (and closed 7323) the system that
Friday
> afternoon).
>   I've seen on the SANS list of port uses (in the FAQ) that 7306 is
> associated w/ NetMonitor; a program designed for remote control of kiosks
&
> ATMs.  My suspicion is that 7306 and others may be the "maintenance"
> backdoors to this and other such programs.  I suggest an occasional
internal
> port scan to verify system port settings.  Any program that makes
something
> easy, well...makes things easy!"

--
Elias Levy
Security Focus
http://www.securityfocus.com/