[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Sygate Personal Firewall IP Spoofing Vulnerability

To: isn@xxxxxxxxxxxxx
Subject: [ISN] Sygate Personal Firewall IP Spoofing Vulnerability
From: InfoSec News <isn@xxxxxxx>
Date: Wed, 18 Sep 2002 01:51:16 -0500 (CDT)
Delivery-date: Wed, 18 Sep 2002 14:32:35 +0200
Envelope-to: isn@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Reply-to: InfoSec News <isn@xxxxxxx>
Sender: owner-isn@xxxxxxxxxxxxx

http://www.net-security.org/vuln.php?id=2047

Contributed to HNS by Abraham Lincoln <sunninja@xxxxxxxxxxxxx>

NSSI-Research Labs Security Advisory

Sygate Personal Firewall 5.0 IP Spoofing Vulnerability

Author: Abraham Lincoln Hao / SunNinja e-Mail: abraham@xxxxxxxxxxxxxx 
/ SunNinja@xxxxxxxxxxxxx

Advisory Code: NSSI-2002-sygatepfw5

Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / 
Win2K Professional

Vendor Status: Vendor already accepted the vulnerability and they will 
be releasing new version to Patch the vulnerability 

Vendors website: http://www.sygate.Com
Severity: High 

Overview:
Sygate Personal Firewall 5.0 is a host-based Firewall designed to 
protect your PC against attacks from both the Internet, and other 
computers in the local network.

Sygate Personal Firewall 5.0 for windows platform contains IP Spoofing 
vulnerability. These vulnerability could allow an attacker with a 
source IP of 127.0.0.1 to Attack the host protected by Sygate Personal 
firewall without being detected. Sygate Personal firewall is having 
problem detecting incoming traffic with source ip 127.0.0.1 (loopback 
address) 
Details:

Test diagram:
[*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps 
switch===> [Host with SPF] 
 1] IP Spoofing Vulnerability Default Installation

- SPF is vulnerable with IP Spoofing attack by Scanning the host with 
a source ip address 127.0.0.1 or network address 127.0.0.0. The 
Attacker could scan or attack the target host without being detected 
by the personal firewall. This vulnerability is very serious w/c an 
attacker could start a Denial of Service attack against the spf 
protected host and launch any form of attack.

- To those who wants to try to simulate the vulnerability, you may use 
source address 127.0.0.1 - 127.0.0.255 ;) 

Workaround:

1] Set the SPF to BLOCK ALL mode setting which i don't think the user 
would do ;) This type of setting would block everything all incoming 
request and outgoing.

2] Block source address 127.0.0.1 or 127.0.0.0 network address 
manually in Advance rules section. 

Any Questions? Suggestions? or Comments? let us know. (Free your mind)

e-mail: nssilabs@xxxxxxxxxxxxxx / abraham@xxxxxxxxxxxxxx / 
infosec@xxxxxxxxxxxxxx

greetings:
nssilabs team bring the heat! ;) Lawless the saint ;), dig0, b45h3r, 
jethro, mr. d.f.a, p1x3lb0y, rj45-gu1t4rgawd and to our webmaster 
raymund (R2/D2)



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.

Prev by Date: [ISN] PDF Copy of National Cybersecurity Strategy Now Available
Next by Date: RE: [ISN] White House to unveil initiative for protection against cyberattacks
Previous by thread: [ISN] PDF Copy of National Cybersecurity Strategy Now Available
Next by thread: [ISN] Slapper worm slowly spreading
Index(es):
- Date
- Thread