Quis custodiet custodes ? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, 27 January, 2000 18:20 To: Robert Hillery Subject: Re: Undocumented back door Please send it to [EMAIL PROTECTED] Cheers. * Robert Hillery ([EMAIL PROTECTED]) [000127 20:40]: > Elias, > What follows is a copy of my submission to SANS GIAC re a curious open > port I had at tcp 7323 on an NT server system w/ SyGate's 3.1 NAT installed. > Greg Shipley suggested I send it to you at BugTraq, also. > > Bob Hillery, > NHCTC Pease > Cogito, ergo sum...cogito > > "FYI, I discussed a possible solution to one of Steve's examples at last > week's SNAP DC conference. Specifically, he had an indication of a > session directed to the unknown port of 7306 and was at the time unsure of > its meaning. > I had a similar problem -- and discovered the answer. I had just set up > an NT server as a multi-homed system w/ NAT (SyGate 3.1 build 553) > > and did an internal port scan to verify the setup. I was surprised by an > active listening port at 7323. > I did a telnet from another computer in the net and got (sic): > > ""SyGate 3.11 for Windows 95/98/NT build 556 > > Welcome to engine remote controller! > > For security purpose, engine remote controller can be access only from your > Local Area Network (LAN). > > > ======== Function Key ========== > > P Stop Service > > D Display Engine Status > > N To Dial ( Dial-Up Networking only ) > > F To Hang Up( Dial-Up Networking only ) > > T Display All TCP Connection(s) > > U Display All UDP Connection(s) > > > > Ready to accept command. Press one function key, or 'H' for help."" > > WOW. > I was told in my first email to Sybergen, who write SyGate, SyShield, and > Sy Access, that although it is completely undocumented this was for > "maintenance purposes only." My second email asked the what if -- any other > access route? The answer was (ahem): > > ""From: Customer Support [ mailto:sgsupport@Sybergen > > <mailto:sgsupport@Sybergen> ] > > Sent: Monday, December 20, 1999 5:21 PM > > To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > Subject: RE: sg > > Port 7323 is used for telnet session for SyGate within a LAN, if someone did > use the RAS (on a SyGate client machine) and able to get the same TCP/IP > setting as other LAN computers, then telneting the server is possible and > that will post a security hole. > > Sincerely, > Customer Support > Sybergen Networks, Inc."" > > Last step was a live test. One of my students is also the SysAdmin of a > local private High School's network. He telnetted in from our classroom, > across at least 4 routers, including some public net, successfully got the > SyGate remote control screen...and proceeded to shut his own system down. > So much for remote maintenance...Many thanks to Chris R. for the test (and > his colleague who immediately reset (and closed 7323) the system that Friday > afternoon). > I've seen on the SANS list of port uses (in the FAQ) that 7306 is > associated w/ NetMonitor; a program designed for remote control of kiosks & > ATMs. My suspicion is that 7306 and others may be the "maintenance" > backdoors to this and other such programs. I suggest an occasional internal > port scan to verify system port settings. Any program that makes something > easy, well...makes things easy!" -- Elias Levy Security Focus http://www.securityfocus.com/
