eeye.99-02-22.wingate
75296fecb26152a52ce6f1a407ca4f483e0f650876e01f1ed6aab6c41f3e99a5
[INLINE] [INLINE]
[INLINE] eEyelogosmall
Home Hire News Alerts Articles Books Tools Links Contact Press
[INLINE] [INLINE] [INLINE]
eEye - Digital Security Team Alert
Multiple WinGate Vulnerabilites
Systems Affected
WinGate 3.0
Release Date
February 22, 1999
Advisory Code
AD02221999
Description:
WinGate 3.0 has three vulnerabilites.
1. Read any file on the remote system.
2. DoS the WinGate service.
3. Decrypt WinGate passwords.
Read any file on the remote system
We were debating if we should add this to the advisory or not. We
figured it would not hurt so here it is. The WinGate Log File service in the past has had holes were
you can read any file on the system and the holes still seem to be there and some new ways of doing
it have cropped up.
http://www.server.com:8010/c:/ - NT/Win9x
http://www.server.com:8010// - NT/Win9x
http://www.server.com:8010/..../ - Win9x
Each of the above urls will list all files on the remote machine.
There are a few reasons why we were not sure if we were going to post this information.
By default all WinGate services are set so that only 127.0.0.1
can use the service. However the perpose is to let users remotely view the logs so therefore chances
are people using the log file service are not going to be leaving it on 127.0.0.1. Also by default
in the WinGate settings "Browse" is enabled. We are not sure if the developers intended the Browse
option to mean the whole hard drive. We would hope not.
The main reason we did put this in the advisory is the fact that
the average person using WinGate (Cable Modem Users etc..) are not the brightest of people and they
will open the Log Service so that everyone has access to it. We understand there are papers out
there saying not to do this and even the program it self says not to, but the average person will
not let this register in their head as a bad thing so the software should at least make it as secure
as possible. Letting people read any file is not living to that standard. Anyways, lets move on...
DoS the WinGate Service
The Winsock Redirector Service sits on port 2080. When you connect to it and send 2000 characters
and disconnect it will crash all WinGate services. O Yipee.
Decrypt the WinGate passwords
The registry keys where WinGate stores its passwords are insecure and let everyone read them.
Therefore anyone can get the passwords and decrypt them. Code follows.
// ChrisA@eEye.com
// Mike@eEye.com
#include "stdafx.h"
#include <stdio.h>
#include <string.h>
main(int argc, char *argv[]) {
char i;
for(i = 0; i < strlen(argv[1]); i++)
putchar(argv[1][i]^(char)((i + 1) << 1));
return 0;
}
You get the idea...
It is good that WinGate 3.0 by default locks down all services to
127.0.0.1. However, there still seems to be holes were if one gets
access to the WinGate service, non-blocked ip, they can do some damage. Chances are if you poke hard
at some of the other services you will find similar problems as above.
Vendor Status
Contacted a month or so ago, have heard nothing. Someone from the NTSEC list contact
eval-support@wingate.net with our findings and they were sent an email back rather quickly. We had
sent our emails to support@wingate.net. Maybe all three of our emails just got lost.
Copyright (c) 1999 eEye Digital Security Team
Permission is hereby granted for the redistribution of this alert electronically. It is not to be
edited in any way without express consent of eEye. If you wish to reprint the whole or any part of
this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.
Disclaimer:
The information within this paper may change without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security Team
info@eEye.com
http://www.eEye.com
[INLINE]
[LINK]
[INLINE]
Copyright © 1998-1999 eEye.com - All Rights Reserved. eEye is an www.eCompany.com Venture.