‘Sygate Personal Firewall 5.0 IP Spoofing Vulnerability’

Summary

‘Sygate Personal Firewall 5.0 is a host-based Firewall designed to protect your PC against attacks from both the Internet, and other computers in the local network.

Sygate Personal Firewall 5.0 for windows platform contains IP Spoofing vulnerability. This vulnerability could allow an attacker with a source IP of 127.0.0.1 to Attack the host protected by Sygate Personal firewall without being detected. Sygate Personal firewall is having problem detecting incoming traffic with source IP 127.0.0.1 (loopback address).’

Credit:

‘The information has been provided by Abraham Lincoln.’


Details

Vulnerable systems:
 * Sygate Personal Firewall version 5.0

Test diagram:
[*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with SPF]

1] IP Spoofing Vulnerability Default Installation
 – SPF is vulnerable with IP Spoofing attack by Scanning the host with a source IP address 127.0.0.1 or network address 127.0.0.0. The Attacker could scan or attack the target host without being detected by the personal firewall. This vulnerability is very serious w/c an attacker could start a Denial of Service attack against the SPF protected host and launch any form of attack.

 – To those who wants to try to simulate the vulnerability, you may use source address 127.0.0.1 – 127.0.0.255.

Workaround:
1] Set the SPF to BLOCK ALL mode setting which Abraham does not think the user would do. This type of setting would block everything all incoming request and outgoing.

2] Block source address 127.0.0.1 or 127.0.0.0 network address manually in Advance rules section. ‘

Categories: Windows