Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormEEye Digital SecurityPACKETSTORM:12085
HistoryAug 17, 1999 - 12:00 a.m.

wingate.3.0.txt

1999-08-1700:00:00
eEye Digital Security
packetstormsecurity.com
24
JSON
`Date: Mon, 5 Apr 1999 17:52:51 -0700  
From: Marc <[email protected]>  
To: [email protected]  
Subject: Multiple WinGate Vulnerabilities[Tad late]  
  
At first we were just going to post this advisory to our website but after  
the subject came up on the NTSEC list and we got a few emails telling us to  
post it to the other lists... well here it is.  
  
Signed,  
Marc  
eEye Digital Security Team  
http://www.eEye.com  
  
P.S.  
Go see Matrix.  
  
________________________________________________________________________  
  
eEye Digital Security Team <e>  
www.eEye.com  
[email protected]  
February 22, 1999  
________________________________________________________________________  
  
Multiple WinGate Vulnerabilities  
  
Systems Affected  
WinGate 3.0  
  
Release Date  
February 22, 1999  
  
Advisory Code  
AD02221999  
  
________________________________________________________________________  
  
Description:  
________________________________________________________________________  
  
WinGate 3.0 has three vulnerabilities. Read any file on the remote system.  
1. Read any file on the remote system.  
2. DoS the WinGate service.  
3. Decrypt WinGate passwords.  
  
________________________________________________________________________  
  
Read any file on the remote system  
________________________________________________________________________  
  
We were debating if we should add this to the advisory or not. We  
figured it would not hurt so here it is.  
The WinGate Log File service in the past has had holes were you can  
read any file on the system and the holes still seem to be there and  
some new ways of doing it have cropped up.  
  
http://www.server.com:8010/c:/ - NT/Win9x  
http://www.server.com:8010// - NT/Win9x  
http://www.server.com:8010/..../ - Win9x  
  
Each of the above URLs will list all files on the remote machine.  
There are a few reasons why we were not sure if we were going to post  
this information.  
  
By default all WinGate services are set so that only 127.0.0.1  
can use the service. However the use for the log file service is to let  
users remotely view  
the logs so therefore chances are people using the log file service  
are not going to be leaving it on 127.0.0.1. Also by default in the  
WinGate settings "Browse" is enabled. We are not sure if the developers  
intended the Browse option to mean the whole hard drive. We would hope  
not.  
  
The main reason we did put this in the advisory is the fact that  
the average person using WinGate (Cable Modem Users etc..) are not the  
brightest of people and they will open the Log Service so that everyone  
has access to it. We understand there are papers out there saying not  
to do this and even the program it self says not to, but the average  
person will not let this register in their head as a bad thing so the  
software should at least make it as secure as possible. Letting people  
read any file is not living to that standard. Any way, lets move on...  
________________________________________________________________________  
  
DoS the WinGate Service  
________________________________________________________________________  
  
The Winsock Redirector Service sits on port 2080. When you connect to it  
and send 2000 characters and disconnect it will crash all WinGate  
services. O Yippee  
  
________________________________________________________________________  
  
Decrypt the WinGate passwords  
________________________________________________________________________  
  
The registry keys where WinGate stores its passwords are insecure and  
let everyone read them. Therefore anyone can get the passwords and  
decrypt them. Code follows.  
  
________________________________________________________________________  
  
// [email protected]  
// [email protected]  
  
#include "stdafx.h"  
#include <stdio.h>  
#include <string.h>  
  
main(int argc, char *argv[]) {  
char i;  
  
for(i = 0; i < strlen(argv[1]); i++)  
putchar(argv[1][i]^(char)((i + 1) << 1));  
return 0;  
  
}  
________________________________________________________________________  
  
You get the idea...  
  
It is good that WinGate 3.0 by default locks down all services to 127.0.0.1.  
However, there still seems to be holes were if one gets access to the  
WinGate service, non-blocked ip, they can do some damage. Chances  
are if you poke hard at some of the other services you will find similar  
problems as above. Software developers need to remember that the avg. user  
is not all  
ways the brightest so our products security must be as tight as possible.  
  
________________________________________________________________________  
  
Vendor Status  
________________________________________________________________________  
  
Contacted a month or so ago, have heard nothing. Someone from the NTSEC  
list contact [email protected] with our findings and they were  
sent an email back rather quickly. We had sent our emails to  
[email protected] and things of the such. Maybe all three of our  
emails just got lost. The last we've heard WinGate is taking steps to fix  
the problem. Look for patches soon.  
  
________________________________________________________________________  
  
Copyright (c) 1999 eEye Digital Security Team  
________________________________________________________________________  
  
Permission is hereby granted for the redistribution of this alert  
electronically. It is not to be edited in any way without express consent of  
eEye. If you wish to reprint the whole or any part of this alert in any  
other medium excluding electronic medium, please e-mail [email protected] for  
permission.  
  
________________________________________________________________________  
  
Disclaimer:  
________________________________________________________________________  
  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There are  
NO warranties with regard to this information. In no event shall the author  
be liable for any damages whatsoever arising out of or in connection with  
the use or spread of this information. Any use of this information is at the  
user's own risk.  
  
Please send suggestions, updates, and comments to:  
eEye Digital Security Team  
[email protected]  
http://www.eEye.com  
  
`
JSON