what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Sep 23, 1999


SHA-256 | 75296fecb26152a52ce6f1a407ca4f483e0f650876e01f1ed6aab6c41f3e99a5


Change Mirror Download

[INLINE] eEyelogosmall
Home Hire News Alerts Articles Books Tools Links Contact Press

eEye - Digital Security Team Alert

Multiple WinGate Vulnerabilites
Systems Affected
WinGate 3.0
Release Date
February 22, 1999
Advisory Code
WinGate 3.0 has three vulnerabilites.
1. Read any file on the remote system.
2. DoS the WinGate service.
3. Decrypt WinGate passwords.
Read any file on the remote system
We were debating if we should add this to the advisory or not. We
figured it would not hurt so here it is. The WinGate Log File service in the past has had holes were
you can read any file on the system and the holes still seem to be there and some new ways of doing
it have cropped up.
http://www.server.com:8010/c:/ - NT/Win9x
http://www.server.com:8010// - NT/Win9x
http://www.server.com:8010/..../ - Win9x
Each of the above urls will list all files on the remote machine.
There are a few reasons why we were not sure if we were going to post this information.
By default all WinGate services are set so that only
can use the service. However the perpose is to let users remotely view the logs so therefore chances
are people using the log file service are not going to be leaving it on Also by default
in the WinGate settings "Browse" is enabled. We are not sure if the developers intended the Browse
option to mean the whole hard drive. We would hope not.
The main reason we did put this in the advisory is the fact that
the average person using WinGate (Cable Modem Users etc..) are not the brightest of people and they
will open the Log Service so that everyone has access to it. We understand there are papers out
there saying not to do this and even the program it self says not to, but the average person will
not let this register in their head as a bad thing so the software should at least make it as secure
as possible. Letting people read any file is not living to that standard. Anyways, lets move on...
DoS the WinGate Service
The Winsock Redirector Service sits on port 2080. When you connect to it and send 2000 characters
and disconnect it will crash all WinGate services. O Yipee.
Decrypt the WinGate passwords
The registry keys where WinGate stores its passwords are insecure and let everyone read them.
Therefore anyone can get the passwords and decrypt them. Code follows.
// ChrisA@eEye.com
// Mike@eEye.com
#include "stdafx.h"
#include <stdio.h>
#include <string.h>
main(int argc, char *argv[]) {
char i;
for(i = 0; i < strlen(argv[1]); i++)
putchar(argv[1][i]^(char)((i + 1) << 1));
return 0;
You get the idea...
It is good that WinGate 3.0 by default locks down all services to However, there still seems to be holes were if one gets
access to the WinGate service, non-blocked ip, they can do some damage. Chances are if you poke hard
at some of the other services you will find similar problems as above.
Vendor Status
Contacted a month or so ago, have heard nothing. Someone from the NTSEC list contact
eval-support@wingate.net with our findings and they were sent an email back rather quickly. We had
sent our emails to support@wingate.net. Maybe all three of our emails just got lost.
Copyright (c) 1999 eEye Digital Security Team

Permission is hereby granted for the redistribution of this alert electronically. It is not to be
edited in any way without express consent of eEye. If you wish to reprint the whole or any part of
this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for


The information within this paper may change without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is at the user's own risk.

Please send suggestions, updates, and comments to:

eEye Digital Security Team


Copyright © 1998-1999 eEye.com - All Rights Reserved. eEye is an www.eCompany.com Venture.
Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    65 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    23 Files
  • 23
    May 23rd
    15 Files
  • 24
    May 24th
    49 Files
  • 25
    May 25th
    20 Files
  • 26
    May 26th
    13 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    11 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By