COMMAND
SyGate
SYSTEMS AFFECTED
SyGate 3.11
PROBLEM
Jeff Alerta found following. Sygate 3.11 by Sybergen, is an
Internet Access Sharing program. Sygate enables users to connect
multiple computers to the Internet over a single connection
(dial-up, ISDN, DSL, Cable Modem, etc.). The Sygate gateway
server is the computer that connects to the Internet and is
running the Sygate software.
Sygate uses a built-in DHCP server to assign IP addresses to
computers running behind the Sygate gateway and NAT to allow
access by these computers to the Internet. Sygate runs on
Win95/98 and Windows NT 4.0 ( Service Pack 3 and higher). On NT
Server 4.0 it installs and runs as an NT Service.
Included with Sygate 3.11 (and possibly earlier versions) is a
"Remote Administration Engine" (REA) which is a utility that
allows users to remotely administer Sygate processes and monitor
Sygate activity, such as traffic from the Internet to machines
behind the Sygate gateway and vice versa.
Sybergen does NOT document this utility.
An example of the information that is provided by this utility is
the IP address and port of a computer being accessed behind the
Sygate gateway and the IP address and port of the computer
accessing it from outside the Sygate gateway. It allows the user
to monitor TCP and UDP processes going through the Sygate gateway
and to shut down the Sygate gateway process, thereby terminating
all access to the Internet.
This "Remote Administration Engine" (RAE) is SUPPOSEDLY
ACCESSIBLE ONLY FROM THE INTERNAL NETWORK, by initiating a Telnet
session to port 7323 on the Sygate gateway. For security reasons,
access to this utility from the Internet is SUPPOSED to be
blocked.
However, Jeff was able to access the Sygate Remote Administration
Engine from outside the Sygate gateway. He has been able to
initiate a Telnet session to port 7323 of a Sygate 3.11 gateway
from machines on the Internet that were supposed to NOT be able
to establish this kind of connection.
Jeff duplicated this security hole on a number of machines
running Windows NT Server 4.0 with Service Pack 4 and Sygate 3.11
builds 556 and 560 (not tested on Win95/98). Also, all these NT
servers did NOT have the Sygate "Enhanced Security" feature
enabled, nor were these NT servers running Secure Desktop
(SyShield), a Sybergen firewall product.
Another problem that compounds the issue is that since the RAE
was designed to be accessable only from behind the Sygate gateway
these is no user authentication whatsoever when accessing it. No
username or password is requested. You are given direct access to
the utility when a connection over the Internet is established.
HOWEVER, this access via Telnet over the Internet is possible
only ONCE per NT Server reboot. Dunno why this is so but after
ending the initial Internet connection to port 7323 of the Sygate
server, another Telnet session cannot connect to that port until
the NT server is rebooted. Just stopping and re-starting the
Sygate service will not allow any further Internet connections.
The NT server must be re-booted before another Telnet session to
port 7323 over the Internet will work.
Once a Telnet connection has been established to port 7323, it is
possible to monitor all TCP and UDP traffic going in and out of
the Sygate gateway. It is possible to draw a detailed diagram of
the network behind the Sygate gateway based on IP addresses and
ports in use. It is also possible to shutdown the Sygate Service
disconnecting all Internet connections. If the system
administrators of that network are unaware of this ability to
remotely shut down the Sygate service (and it is very possible
that they are NOT aware of it; my discovery of the RAE utility
was accidental and Sybergen does not document the utility. They
only mention it in passing in their Sygate FAQ) this could drive
the SysAdmins nuts trying to figure out what is causing the
Sygate server to shutdown.
This exploit only works if Sybergen Secure Desktop (SyShield)
build 177, a firewall product that is designed to protect the
SyGate 3.11 gateway computer, is NOT installed or if the Sygate
"Enhanced Security" mode is NOT enabled. So installing Secure
Desktop (SyShield) on the Sygate 3.11 server OR enabling the
Sygate 3.11 "Enhanced Security" mode will block this exploit.
Jeff Alerta talked about the fact he was able to connect to the
Sygate Management Console (port 7323) from outside of the
internal network, something which was not supposed to be possible.
The installation process for Sygate uses inverse DNS queries
(gethostbyaddr) to determine which interface is the "trusted"
network, and which is to the "internet". It sends out a lookup
request and whichever NIC in the Sygate box returns the response
is deemed to be the "internet". Ergo, the other NIC is the
"trusted" network.
If you don't host your own DNS server, this method probably
returns the desired results. If you do host your own DNS server,
then the response is quite possibly going to come from your
internal NIC. The result will be that your internal network will
be deemed the "internet", and the internet deemed your "trusted"
network... This was tested on version 2.0 of Sygate too and the
security hole is there too. In version 2.0 you have to specify
the "internet" NIC so there are no DNS queries to determine the
"trusted" network. All tests are done without a "local" DNS
server.
Given that the product is targeted at home office users, they
could probably argue that most of their customer's installations
are done correctly. Infosec folks who might be evaluating the
product are likely to find different results in a test environment
where an existing network connection to the internet could fool
the Sygate box as described above.
SOLUTION
Sybergen has released the new beta builds of their SyGate 3.11,
Secure Destop and Secure Access products that fix the Port 7323
Telnet Hole. According to them they have closed Internet access
to the remote admin utility at port 7323. They have also added
support for Windows Millenium and Dual-CPU NT servers.
These builds now work together so upgrading your Sygate 3.11
server will require that you upgrade Secure Access (SyShield) to
the new version. Here are the links:
SyGate 3.11 Build 563
http://www.sygate.com/SG563.exe
Sybergen Access Server Build 558
http://www.sygate.com/SA558.exe
Sybergen Secure Desktop Build 182
http://www.sygate.com/SD182.exe