• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

SyGate Insecure UDP Source Port Firewall Bypass Weak Default Configuration Vulnerability

Solution:
The following steps can be used to add a NetBIOS name service rule for port 137 in Sygate Personal Firewall:
1. Under the Advanced Rule Editor, click the Add button.
2. For the Rule Description, enter Microsoft SQL Monitor Service.
3. Select Block this traffic.
4. Under Apply Rule to Network Interface, choose All network interface cards.
5. Under Apply this rule during Screensaver Mode choose Both on and off.
6. Switch to the Hosts tab.
7. Under Apply this rule to, choose All Addresses.
8. Switch to the Ports and Protocols tab.
9. Under Protocol, choose UDP.
10. Under Remote, choose NETBIOS-NS(137).
11. Under Local, enter 0-136,138-65535.
12. Under Traffic Direction, choose Both.
13. Click OK.

The following steps can be used to add a NetBIOS Datagram rule for port 138 in Sygate Personal Firewall:
1. Under the Advanced Rule Editor, click the Add button.
2. For the Rule Description, enter NetBIOS Datagram Service.
3. Select Block this traffic.
4. Under Apply Rule to Network Interface, choose All network interface cards.
5. Under Apply this rule during Screensaver Mode choose Both on and off.
6. Switch to the Hosts tab.
7. Under Apply this rule to, choose All Addresses.
8. Switch to the Ports and Protocols tab.
9. Under Protocol, choose UDP.
10. Under Remote, choose NETBIOS-DGM(138).
11. Under Local, enter 0-137,139-65535.
12. Under Traffic Direction, choose Both.
13. Click OK.

Users of Sygate Management Servers that provide configurations for Sygate Security Agent should apply rules by following these steps:
1. Switch to the Policies tab.
2. Switch to the Simple Rules sub tab.
3. Select the group for the new rule (or the Global group for all groups).
4. Active Directory Sharing and Network Neighborhood Sharing should not be enabled.
5. Switch to the Advanced Rules sub tab.
6. Expand the locations list.
7. Choose the locations for the new rule.
8. Expand the Security icon for a list of available adapters.
9. Under the list of available adapters, choose All Adapters.
10. For the Rule Description, enter Allow NetBIOS Browsing.
11. Click Add.
12. Under All Adapters, choose the Allow NetBIOS Browsing rule.
13. Under Events and Triggers, switch to the Applications tab.
14. Choose a Priority and Severity level appropriate to the environment.
15. Make sure the Enable Application Triggers check box is checked.
16. Click Add.
17. For the Application Description, enter NT OS Kernel.
18. For the file name, enter ntoskrnl.exe.
19. Make sure the Create Application Fingerprint check box is checked.
20. Click OK.
21. Click Add.
22. For the Application Description, enter Windows OS Kernel.
23. For the file name, enter kernel32.dll.
24. Make sure the Create Application Fingerprint check box is checked.
25. Click OK.
26. Under Events and Triggers, switch to the Services tab.
27. Make sure the Enable Port and Protocols Triggers check box is checked.
28. Under Service Type, choose Remote TCP Ports.
29. For Triggers, select netbios-ssn (port 139) and microsoft-ds (port 445).
30. Click Add and use 135 as the Port Number and netbios-dce as the Description.
31. Click OK.
32. Click Add and use 1026 as the Port Number, 1027 as the To Port Number, and User Defined as the Description.
33. Click OK.
34. Under Service Type, choose Remote UDP Ports.
35. Choose kerberos (port 88), netbios-ns (port 137), and netbios-dgm (port 138) as the Triggers.
36. Under Actions, choose Drop.
37. Check the box for Write to Traffic Log.
38. Click Apply at the top of the SMS window.
39. Verify that the rule was created for the appropriate group.