<color><param>0100,0100,0100</param><FontFamily><param>Courier New</param><smaller>Sybergen SyGate 3.11 Security Hole /Exploit


DESCRIPTION:


 Sygate 3.11 by Sybergen, http://www.sybergen.com, is
an Internet Access Sharing program.  Sygate enables
users to connect multiple computers to the Internet
over a single connection (dial-up, ISDN, DSL, Cable
Modem, etc.).


The Sygate gateway server is the computer that connects
to the Internet and is running the Sygate software.

Sygate uses a built-in DHCP server to assign IP
addresses to computers running behind the Sygate
gateway and NAT to allow access by these computers to
the Internet.


Sygate runs on Win95/98 and Windows NT 4.0 ( Service
Pack 3 and higher). On NT Server 4.0 it installs and
runs as an NT Service.


Included with Sygate 3.11 (and possibly earlier
versions) is a "Remote Administration Engine" (REA)
which is a utility that allows users to remotely
administer Sygate processes and monitor  Sygate
activity, such as traffic from the Internet to machines
behind the Sygate gateway and vice versa.


Sybergen does NOT document this utility.


An example of the information that is provided by this
utility is the IP address and port of a computer being
accessed behind the Sygate gateway and the IP address
and port of the computer accessing it from outside the
Sygate gateway.  It allows the user to monitor TCP and
UDP processes going through the Sygate gateway and to
shut down the Sygate gateway process, thereby
terminating all access to the Internet.


This "Remote Administration Engine" (RAE) is SUPPOSEDLY
ACCESSIBLE ONLY FROM THE INTERNAL NETWORK, by
initiating a Telnet session to port 7323 on the Sygate
gateway. For security reasons, access to this utility
from the Internet is SUPPOSED to be blocked.


However, I have been able to access the Sygate Remote
Administration Engine from outside the Sygate gateway.


I have been able to initiate a Telnet session to port
7323 of a Sygate 3.11 gateway from machines on the
Internet that were supposed to NOT be able to establish
this kind of connection.


I have been able to duplicate this security hole on a
number of machines running Windows NT Server 4.0 with
Service Pack 4 and Sygate 3.11 builds 556 and 560. I
have not tested this on Win95/98. Also, all these NT
servers did NOT have the Sygate "Enhanced Security"
feature enabled, nor were these NT servers running
Secure Desktop (SyShield), a Sybergen firewall product.


Another problem that compounds the issue is that since
the RAE was designed to be accessable only from behind
the Sygate gateway these is no user authentication
whatsoever when accessing it. No username or password
is requested. You are given direct access to the
utility when a connection over the Internet is
established.


HOWEVER, this access via Telnet over the Internet is
possible only ONCE per NT Server reboot. I do not know
why this is so but after ending the initial Internet
connection to port 7323 of the Sygate server, another
Telnet session cannot connect to that port until the NT
server is rebooted.


Just stopping and re-starting the Sygate service will
not allow any further Internet connections. The NT
server must be re-booted before another Telnet session
to port 7323 over the Internet will work.


Once a Telnet connection has been established to port
7323, it is possible to monitor all TCP and UDP traffic
going in and out of the Sygate gateway. It is possible
to draw a detailed diagram of the network behind the
Sygate gateway based on IP addresses and ports in use.
It is also possible to shutdown the Sygate Service
disconnecting all Internet connections. If the system
administrators of that network are unaware of this
ability to remotely shut down the Sygate service (and
it is very possible that they are NOT aware of it; my
discovery of the RAE utility was accidental and
Sybergen does not document the utility. They only
mention it in passing in their Sygate FAQ) this could
drive the SysAdmins nuts trying to figure out what is
causing the Sygate server to shutdown.


I informed Sybergen tech support about this security
hole / exploit on Jan. 6, 2000 and they have a new
Sygate build that supposedly patches the hole.


FIXES:


This exploit only works if Sybergen Secure Desktop
(SyShield) build 177, a firewall product that is
designed to protect the SyGate 3.11 gateway computer,
is NOT installed or if the Sygate "Enhanced Security"
mode is NOT enabled.


So installing Secure Desktop (SyShield) on the Sygate
3.11 server OR enabling the Sygate 3.11 "Enhanced
Security" mode will block this exploit.


To fix Sygate itself, you may need to request the new
Sygate build from Sybergen tech support, as they have
not yet officially posted it to their public web site.


However, I was given a link to the latest build and you
can try downloading that until something more official
comes along (or until they remove the link to this
file).


URL: { HYPERLINK http://www.sygate.com/SyGate562.exe <FontFamily><param>Times New Roman</param>}<underline><color><param>0000,0000,FF00</param>http://www.sygate.com/SyGate562.exe</underline><color><param>0100,0100,0100</param><FontFamily><param>Courier New</param> (the filename is case-
sensitive)


VERY IMPORTANT NOTE, this new Sygate 562 build breaks
the Sybergen Secure Desktop (SyShield) build 177, which
is is designed to work with the SyGate 3.11 build 560.
Sybergen is working on a new Secure Desktop build that
will work with the Sygate build 562.


Contact Sybergen, http://www.sybergen.com, for more
details on their new builds.


jeff alerta

{ HYPERLINK mailto:jeff@nestworks.com <FontFamily><param>Times New Roman</param>}<underline><color><param>0000,0000,FF00</param>jeff@nestworks.com</underline><color><param>0100,0100,0100</param><FontFamily><param>Courier New</param>


<nofill>