Wingate_Registry_sploit.txt

1999-08-17T00:00:00
ID PACKETSTORM:12191
Type packetstorm
Reporter TermAnnex
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Problem:  
All of the wingate server settings are stored in "HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate"  
This makes it possible for anyone with registry editing permissions (remote or physical) to change wingate   
settings.   
  
Details:  
With about 10 minutes of exploration of the wingate settings i was able to re-enable the Guest account (which I   
had disabled) and give it administration access with no password. Since all the settings for the wingate server are   
kept in the registry, it makes it possible to change anything about the server, from what the server returns on   
errors, to enabling or disabling services.   
The attacks I've currently experimented with have been as giving Guest admin access, this was accomplished by   
completing the following steps:  
-Locate the account in "HKEY_LOCAL_MACHINE\Sofware\Qbik   
Software\Wingate\UserDatabase\(username here)"in this case we will be looking for Guest, so all   
the options for guest are located under "HKEY_LOCAL_MACHINE\Sofware\Qbik   
Software\Wingate\UserDatabase\Guest" For my fingers sake, all keys or values I refer too, are under   
that directory for the moment.  
-Lets say that the guest account is not enabled, to find out if it is enabled the   
"AccountEnabled" value would be set to `0' or a way long number. If the account is enabled the   
"AccountEnabled" value would be set to `1'. Simple enough.  
-Now that the Guest Account is enabled, you want remove the guest account password out,   
the password is encrypted to me, which means we just cut it out. So set "Password" to nothing. Once   
again, very simple any one can do this.  
-And to finish up, we get into "HKEY_LOCAL_MACHINE\Sofware\Qbik   
Software\Wingate\UserDatabase\Administrators\Members" we add a numeric value to this key, call   
it the username you want to gain access with, and set it to zero.  
  
You will be required to restart the wingate engine to get any setting changes this way to work, but if   
you have physical access, this shouldn't be to hard, if you have remote access, using a DOS to restart   
the whole system, or possibly some sort of trojan to do kill and restart the process wouldn't be to   
difficult either.  
  
With full admin access to the system, you won't need to worry about using any other sort of registry   
configurations, but remember, that they may be logging, and that may cause problems. So you may   
also want to edit various other things in the registry. Since I've only spent about 30 minutes   
exploring this hole since first finding it, I can only give some ideas.  
"HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate\Services" seems to contain some or   
most of the services, and their settings, it's a good idea to try and experiment on your own.  
  
Term's Final Thoughts:  
This hole is partly the administrator's fault for not putting any protection on the server's registry in   
the first place. But can also be blamed on the makers of Wingate for not throwing the configuration   
into a file and using some sort of encryption on it. Overall wingate is a great product when the OS is   
configured properly, and it is configured properly, I'm using it to get my other computers on the net   
over my dial up connection. Qbik Software has NOT been notified about this, because they don't   
need to be it's not really their problem. As always, this is for educational use only, and was not   
meant to gain access to someone else's server, I take no responsibility if you do that, it was your   
own damn fault that you got caught.  
  
Greets go out to Katesy, and Zarkov  
  
TermAnnex  
Craigm@mail.islandnet.com http://www.islandnet.com/~craigm/  
The 14.4 modems own you all!  
`