Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SyGate 3.11 Port 7323 / Remote Admin hole
From: brian () ASL CA (Brian Hampson)
Date: Mon, 31 Jan 2000 11:46:37 -0800

When we last heard from you, the following words rang out across the 'Net:

The Sygate gateway server is the computer that connects
to the Internet and is running the Sygate software.

Sygate runs on Win95/98 and Windows NT 4.0 ( Service
Pack 3 and higher). On NT Server 4.0 it installs and
runs as an NT Service.

Sybergen does NOT document this utility.


This "Remote Administration Engine" (RAE) is SUPPOSEDLY
initiating a Telnet session to port 7323 on the Sygate
gateway. For security reasons, access to this utility
from the Internet is SUPPOSED to be blocked.

However, I have been able to access the Sygate Remote
Administration Engine from outside the Sygate gateway.

I have been able to initiate a Telnet session to port
7323 of a Sygate 3.11 gateway from machines on the
Internet that were supposed to NOT be able to establish
this kind of connection.

I have been able to duplicate this security hole on a
number of machines running Windows NT Server 4.0 with
Service Pack 4 and Sygate 3.11 builds 556 and 560. I
have not tested this on Win95/98. Also, all these NT
servers did NOT have the Sygate "Enhanced Security"
feature enabled, nor were these NT servers running
Secure Desktop (SyShield), a Sybergen firewall product.

Verified with NT Workstation and Sygate as well.

HOWEVER, this access via Telnet over the Internet is
possible only ONCE per NT Server reboot. I do not know
why this is so but after ending the initial Internet
connection to port 7323 of the Sygate server, another
Telnet session cannot connect to that port until the NT
server is rebooted.

Verified as well. Odd but handy.  I suppose another interim fix is to make
sure you telnet from external as soon as your machine has booted :)



   Brian P. Hampson                  ASL Analytical Service Laboratories Ltd
   System Administrator,             Vancouver, BC (604)253-4188
     ----------------- http://www.ASL.CA/ ----------------------------

Speaking for myself, not ASL

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]