SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Sygate Personal Firewall Vendors:   Sygate
Sygate Personal Firewall Allows Remote Users to Traverse the Firewall in Certain Cases
SecurityTracker Alert ID:  1005970
SecurityTracker URL:  http://securitytracker.com/id/1005970
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 23 2003
Impact:   Host/resource access via network
Exploit Included:  Yes  
Version(s): 5.0
Description:   An access control vulnerability was reported in the Sygate Personal Firewall Pro edition. A remote user can send packets through the firewall to certain ports.

It is reported that the default configuration of the firewall permits UDP packets to access open destination ports on the firewall-protected host if the packet source port is port 137 or 138.

A demonstration exploit nmap scan command is provided:

nmap -vv -P0 -sU 192.168.0.1 -g 137

The vendor has reportedly been notified.

Impact:   A remote user can access open UDP ports on the firewall.
Solution:   No solution was available at the time of this entry.

The author of the report has indicated that, as a workaround, you can configure a rule to block all incoming UDP packets that have a source address of port 137 or 138.

Vendor URL:  soho.sygate.com/products/pspf_ov.htm (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Sygate Describes Fix) Re: Sygate Personal Firewall Allows Remote Users to Traverse the Firewall in Certain Cases
The vendor has described a fix.



 Source Message Contents

Subject:  Access to open udp ports with Sygate Pro 5.0


Issue : Full access to open udp ports with Sygate Pro 5.0


Vendor status : vendor was contacted but got no response
from them


Description:

Sygate Pro is a personal firewall very easy to configure.No rules
are installed in a default configuration.A default installation pretends
to be enough to block all accesses to your ports.

By default , traffic from udp source port 137 or 138 is allowed by
the firewall , so to bypass it you just have to set your source port
to 137 or 138.Doing this all packets addressed to an open udp port
will be forwarded by the firewall


Attack :

nmap -vv -P0 -sU 192.168.0.1 -g 137


Recommendation :

Set a rule to block all incoming udp traffic with source
port 137 and 138



Regards,

David Fernandez Madrid,
Madrid,Spain

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com.  NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer.  Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC