Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

NSSI-2002-sygatepfw5: Sygate Personal Firewall IP Spoofing Vulnerability

From: "Abraham Lincoln" <sunninja () scientist com>
Date: Mon, 16 Sep 2002 23:32:13 +0800
NSSI-Research Labs Security Advisory

http://www.nssolution.com (Philippines / .ph)
"Maximum e-security"

http://nssilabs.nssolution.com

Sygate Personal Firewall 5.0 IP Spoofing Vulnerability

Author: Abraham Lincoln Hao / SunNinja

e-Mail: abraham () nssolution com / SunNinja () Scientist com

Advisory Code: NSSI-2002-sygatepfw5

Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional

Vendor Status:  Vendor already accepted the vulnerability and they will be releasing new version to Patch the 
vulnerability

Vendors website: http://www.sygate.Com
Severity: High

Overview:
     Sygate Personal Firewall 5.0 is a host-based Firewall designed to protect your PC against attacks from both the 
Internet, and other computers in the local network.

    Sygate Personal Firewall 5.0 for windows platform contains IP Spoofing vulnerability.  These vulnerability could 
allow an attacker with a source IP of 127.0.0.1 to Attack the host protected by Sygate Personal firewall without being 
detected. Sygate Personal firewall is having problem detecting incoming traffic with source ip 127.0.0.1 (loopback 
address) 
Details:

Test diagram:
   [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with SPF] 
 1]  IP Spoofing Vulnerability Default Installation

    - SPF is vulnerable with IP Spoofing attack by Scanning the host with a source ip address 127.0.0.1 or network 
address 127.0.0.0. The Attacker could scan or attack the target host without being detected by the personal firewall. 
This vulnerability is very serious w/c an attacker could start a Denial of Service attack against the spf protected 
host and launch any form of attack.
    - To those who wants to try to simulate the vulnerability, you may use source address 127.0.0.1 - 127.0.0.255 ;)

Workaround:

1] Set the SPF to BLOCK ALL mode setting which i don't think the user would do ;) This type of setting would block 
everything all incoming request and outgoing.

2] Block source address 127.0.0.1 or 127.0.0.0 network address manually in  Advance rules section. 

Any Questions? Suggestions? or Comments? let us know. (Free your mind)

e-mail: nssilabs () nssolution com / abraham () nssolution com / infosec () nssolution com

greetings:
   nssilabs team bring the heat! ;) Lawless the saint ;), dig0, b45h3r, jethro,   mr. d.f.a, p1x3lb0y, rj45-gu1t4rgawd 
and to our webmaster raymund (R2/D2)



-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Previous By Date Next
Previous By Thread Next

Current thread: