[INLINE] [INLINE] [INLINE] eEyelogosmall Home Hire News Alerts Articles Books Tools Links Contact Press [INLINE] [INLINE] [INLINE] eEye - Digital Security Team Alert Multiple WinGate Vulnerabilites Systems Affected WinGate 3.0 Release Date February 22, 1999 Advisory Code AD02221999 Description: WinGate 3.0 has three vulnerabilites. 1. Read any file on the remote system. 2. DoS the WinGate service. 3. Decrypt WinGate passwords. Read any file on the remote system We were debating if we should add this to the advisory or not. We figured it would not hurt so here it is. The WinGate Log File service in the past has had holes were you can read any file on the system and the holes still seem to be there and some new ways of doing it have cropped up. http://www.server.com:8010/c:/ - NT/Win9x http://www.server.com:8010// - NT/Win9x http://www.server.com:8010/..../ - Win9x Each of the above urls will list all files on the remote machine. There are a few reasons why we were not sure if we were going to post this information. By default all WinGate services are set so that only 127.0.0.1 can use the service. However the perpose is to let users remotely view the logs so therefore chances are people using the log file service are not going to be leaving it on 127.0.0.1. Also by default in the WinGate settings "Browse" is enabled. We are not sure if the developers intended the Browse option to mean the whole hard drive. We would hope not. The main reason we did put this in the advisory is the fact that the average person using WinGate (Cable Modem Users etc..) are not the brightest of people and they will open the Log Service so that everyone has access to it. We understand there are papers out there saying not to do this and even the program it self says not to, but the average person will not let this register in their head as a bad thing so the software should at least make it as secure as possible. Letting people read any file is not living to that standard. Anyways, lets move on... DoS the WinGate Service The Winsock Redirector Service sits on port 2080. When you connect to it and send 2000 characters and disconnect it will crash all WinGate services. O Yipee. Decrypt the WinGate passwords The registry keys where WinGate stores its passwords are insecure and let everyone read them. Therefore anyone can get the passwords and decrypt them. Code follows. // ChrisA@eEye.com // Mike@eEye.com #include "stdafx.h" #include #include main(int argc, char *argv[]) { char i; for(i = 0; i < strlen(argv[1]); i++) putchar(argv[1][i]^(char)((i + 1) << 1)); return 0; } You get the idea... It is good that WinGate 3.0 by default locks down all services to 127.0.0.1. However, there still seems to be holes were if one gets access to the WinGate service, non-blocked ip, they can do some damage. Chances are if you poke hard at some of the other services you will find similar problems as above. Vendor Status Contacted a month or so ago, have heard nothing. Someone from the NTSEC list contact eval-support@wingate.net with our findings and they were sent an email back rather quickly. We had sent our emails to support@wingate.net. Maybe all three of our emails just got lost. Copyright (c) 1999 eEye Digital Security Team Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com http://www.eEye.com [INLINE] [LINK] [INLINE] Copyright © 1998-1999 eEye.com - All Rights Reserved. eEye is an www.eCompany.com Venture.